Source: important X-Debbugs-CC: t...@security.debian.org Severity: libstb Tags: security
Hi, The following vulnerabilities were published for important. CVE-2023-45661[0]: | stb_image is a single file MIT licensed library for processing | images. A crafted image file may trigger out of bounds memcpy read | in `stbi__gif_load_next`. This happens because two_back points to a | memory address lower than the start of the buffer out. This issue | may be used to leak internal memory allocation information. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 1) https://github.com/nothings/stb/issues/1538 https://github.com/nothings/stb/pull/1539 CVE-2023-45662[1]: | stb_image is a single file MIT licensed library for processing | images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and | `req_comp` is set to a number that doesn’t match the real number of | components per pixel, the library attempts to flip the image | vertically. A crafted image file can trigger `memcpy` out-of-bounds | read because `bytes_per_pixel` used to calculate `bytes_per_row` | doesn’t match the real image array dimensions. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 2) https://github.com/nothings/stb/issues/1540 https://github.com/nothings/stb/pull/1541 CVE-2023-45663[2]: | stb_image is a single file MIT licensed library for processing | images. The stbi__getn function reads a specified number of bytes | from context (typically a file) into the specified buffer. In case | the file stream points to the end, it returns zero. There are two | places where its return value is not checked: In the | `stbi__hdr_load` function and in the `stbi__tga_load` function. The | latter of the two is likely more exploitable as an attacker may also | control the size of an uninitialized buffer. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 3) https://github.com/nothings/stb/issues/1542 https://github.com/nothings/stb/pull/1543 CVE-2023-45664[3]: | stb_image is a single file MIT licensed library for processing | images. A crafted image file can trigger | `stbi__load_gif_main_outofmem` attempt to double-free the out | variable. This happens in `stbi__load_gif_main` because when the | `layers * stride` value is zero the behavior is implementation | defined, but common that realloc frees the old memory and returns | null pointer. Since it attempts to double-free the memory a few | lines below the first “free”, the issue can be potentially exploited | only in a multi-threaded environment. In the worst case this may | lead to code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 4) https://github.com/nothings/stb/issues/1542 https://github.com/nothings/stb/pull/1545 CVE-2023-45666[4]: | stb_image is a single file MIT licensed library for processing | images. It may look like `stbi__load_gif_main` doesn’t give | guarantees about the content of output value `*delays` upon failure. | Although it sets `*delays` to zero at the beginning, it doesn’t do | it in case the image is not recognized as GIF and a call to | `stbi__load_gif_main_outofmem` only frees possibly allocated memory | in `*delays` without resetting it to zero. Thus it would be fair to | say the caller of `stbi__load_gif_main` is responsible to free the | allocated memory in `*delays` only if `stbi__load_gif_main` returns | a non null value. However at the same time the function may return | null value, but fail to free the memory in `*delays` if internally | `stbi__convert_format` is called and fails. Thus the issue may lead | to a memory leak if the caller chooses to free `delays` only when | `stbi__load_gif_main` didn’t fail or to a double-free if the | `delays` is always freed https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 6) https://github.com/nothings/stb/issues/1548 https://github.com/nothings/stb/pull/1549 CVE-2023-45667[5]: | stb_image is a single file MIT licensed library for processing | images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` | fails it returns a null pointer and may keep the `z` variable | uninitialized. In case the caller also sets the flip vertically | flag, it continues and calls `stbi__vertical_flip_slices` with the | null pointer result value and the uninitialized `z` value. This may | result in a program crash. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 7) https://github.com/nothings/stb/issues/1550 https://github.com/nothings/stb/pull/1551 CVE-2023-45675[6]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger out of bounds write in | `f->vendor[len] = (char)'\0';`. The root cause is that if the len | read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed | to `setup_malloc`. The `setup_malloc` behaves differently when | `f->alloc.alloc_buffer` is pre-allocated. Instead of returning | `NULL` as in `malloc` case it shifts the pre-allocated buffer by | zero and returns the currently available memory block. This issue | may lead to code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 8) https://github.com/nothings/stb/issues/1552 https://github.com/nothings/stb/pull/1553 CVE-2023-45676[7]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger out of bounds write in | `f->vendor[i] = get8_packet(f);`. The root cause is an integer | overflow in `setup_malloc`. A sufficiently large value in the | variable `sz` overflows with `sz+7` in and the negative value passes | the maximum available memory buffer check. This issue may lead to | code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 9) https://github.com/nothings/stb/pull/1554 CVE-2023-45677[8]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger out of bounds write in | `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read | in `start_decoder` is a negative number and `setup_malloc` | successfully allocates memory in that case, but memory write is done | with a negative index `len`. Similarly if len is INT_MAX the integer | overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, | sizeof(char) * (len+1));` and `f->comment_list[i] = | (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may | lead to code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 10) https://github.com/nothings/stb/pull/1555 CVE-2023-45678[9]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger out of buffer write in | `start_decoder` because at maximum `m->submaps` can be 16 but | `submap_floor` and `submap_residue` are declared as arrays of 15 | elements. This issue may lead to code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 11) https://github.com/nothings/stb/pull/1556 CVE-2023-45679[10]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger memory allocation failure | in `start_decoder`. In that case the function returns early, but | some of the pointers in `f->comment_list` are left initialized and | later `setup_free` is called on these pointers in `vorbis_deinit`. | This issue may lead to code execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 12) https://github.com/nothings/stb/pull/1557 CVE-2023-45680[11]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger memory allocation failure | in `start_decoder`. In that case the function returns early, the | `f->comment_list` is set to `NULL`, but `f->comment_list_length` is | not reset. Later in `vorbis_deinit` it tries to dereference the | `NULL` pointer. This issue may lead to denial of service. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 13) https://github.com/nothings/stb/pull/1558 CVE-2023-45681[12]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger memory write past an | allocated heap buffer in `start_decoder`. The root cause is a | potential integer overflow in `sizeof(char*) * | (f->comment_list_length)` which may make `setup_malloc` allocate | less memory than required. Since there is another integer overflow | an attacker may overflow it too to force `setup_malloc` to return 0 | and make the exploit more reliable. This issue may lead to code | execution. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 14) https://github.com/nothings/stb/pull/1559 CVE-2023-45682[13]: | stb_vorbis is a single file MIT licensed library for processing ogg | vorbis files. A crafted file may trigger out of bounds read in | `DECODE` macro when `var` is negative. As it can be seen in the | definition of `DECODE_RAW` a negative `var` is a valid value. This | issue may be used to leak internal memory allocation information. https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 15) https://github.com/nothings/stb/pull/1560 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45661 https://www.cve.org/CVERecord?id=CVE-2023-45661 [1] https://security-tracker.debian.org/tracker/CVE-2023-45662 https://www.cve.org/CVERecord?id=CVE-2023-45662 [2] https://security-tracker.debian.org/tracker/CVE-2023-45663 https://www.cve.org/CVERecord?id=CVE-2023-45663 [3] https://security-tracker.debian.org/tracker/CVE-2023-45664 https://www.cve.org/CVERecord?id=CVE-2023-45664 [4] https://security-tracker.debian.org/tracker/CVE-2023-45666 https://www.cve.org/CVERecord?id=CVE-2023-45666 [5] https://security-tracker.debian.org/tracker/CVE-2023-45667 https://www.cve.org/CVERecord?id=CVE-2023-45667 [6] https://security-tracker.debian.org/tracker/CVE-2023-45675 https://www.cve.org/CVERecord?id=CVE-2023-45675 [7] https://security-tracker.debian.org/tracker/CVE-2023-45676 https://www.cve.org/CVERecord?id=CVE-2023-45676 [8] https://security-tracker.debian.org/tracker/CVE-2023-45677 https://www.cve.org/CVERecord?id=CVE-2023-45677 [9] https://security-tracker.debian.org/tracker/CVE-2023-45678 https://www.cve.org/CVERecord?id=CVE-2023-45678 [10] https://security-tracker.debian.org/tracker/CVE-2023-45679 https://www.cve.org/CVERecord?id=CVE-2023-45679 [11] https://security-tracker.debian.org/tracker/CVE-2023-45680 https://www.cve.org/CVERecord?id=CVE-2023-45680 [12] https://security-tracker.debian.org/tracker/CVE-2023-45681 https://www.cve.org/CVERecord?id=CVE-2023-45681 [13] https://security-tracker.debian.org/tracker/CVE-2023-45682 https://www.cve.org/CVERecord?id=CVE-2023-45682 Please adjust the affected versions in the BTS as needed.