Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

zbar: CVE-2023-40889 CVE-2023-40890

Related Vulnerabilities: CVE-2023-40889   CVE-2023-40890  

Source

Debian Bug report logs - #1051724
zbar: CVE-2023-40889 CVE-2023-40890

Package: src:zbar; Maintainer for src:zbar is Boyuan Yang <byang@debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Mon, 11 Sep 2023 19:18:01 UTC

Severity: important

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Boyuan Yang <byang@debian.org>:
Bug#1051724; Package src:zbar. (Mon, 11 Sep 2023 19:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Boyuan Yang <byang@debian.org>. (Mon, 11 Sep 2023 19:18:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: zbar: CVE-2023-40889 CVE-2023-40890
Date: Mon, 11 Sep 2023 21:15:17 +0200
Source: zbar
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for zbar.

CVE-2023-40889[0]:
| A heap-based buffer overflow exists in the qr_reader_match_centers
| function of ZBar 0.23.90. Specially crafted QR codes may lead to
| information disclosure and/or arbitrary code execution. To trigger
| this vulnerability, an attacker can digitally input the malicious QR
| code, or prepare it to be physically scanned by the vulnerable
| scanner.

https://hackmd.io/@cspl/B1ZkFZv23

CVE-2023-40890[1]:
| A stack-based buffer overflow vulnerability exists in the
| lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes
| may lead to information disclosure and/or arbitrary code execution.
| To trigger this vulnerability, an attacker can digitally input the
| malicious QR code, or prepare it to be physically scanned by the
| vulnerable scanner.

https://hackmd.io/@cspl/H1PxPAUnn

It is unclear if these were reported upstream, could you please sync
up with them?


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40889
    https://www.cve.org/CVERecord?id=CVE-2023-40889
[1] https://security-tracker.debian.org/tracker/CVE-2023-40890
    https://www.cve.org/CVERecord?id=CVE-2023-40890

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 11 Sep 2023 19:33:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 12 17:51:52 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started