Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918679 (CVE-2023-43281, CVE-2023-43898, CVE-2023-45661, CVE-2023-45662, CVE-2023-45663, CVE-2023-45664, CVE-2023-45666, CVE-2023-45667, CVE-2023-45675, CVE-2023-45676, CVE-2023-45677, CVE-2023-45678, CVE-2023-45679, CVE-2023-45680, CVE-2023-45681, CVE-2023-45682)

Summary: dev-libs/stb: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: 3dprint, mathy, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 01:12:57 UTC
CVE-2023-43281 (https://gist.github.com/peccc/d8761f6ac45ad55cbd194dd7e6fdfdac):

Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi_load_gif_main function.

This one's referenced by Fedora advisories (eg https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/) so there's presumably patches for it somewhere.

CVE-2023-45676 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.

CVE-2023-45677 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.

CVE-2023-45678 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.

CVE-2023-45679 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.

CVE-2023-45664 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.

CVE-2023-45666 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images.  It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed

CVE-2023-45667 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images.

If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.

CVE-2023-45675 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.

CVE-2023-45680 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.

CVE-2023-45681 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.

CVE-2023-45682 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

CVE-2023-45661 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.

CVE-2023-45662 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions. 

CVE-2023-45663 (https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/):

stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.

CVE-2023-43898 (https://github.com/nothings/stb/issues/1452):

Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.

Seems to be a patch here which Fedora is using: https://github.com/nothings/stb/pull/1454

The GitHub vulnerabilities are claimed to have been fixed in PRs
publicly according to the advisory, but fixes aren't referenced in the
CVEs or the advisory.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 01:23:32 UTC
Ah, there are PRs:

CVE-2023-45676: https://github.com/nothings/stb/pull/1554
CVE-2023-45677: https://github.com/nothings/stb/pull/1555
CVE-2023-45678: https://github.com/nothings/stb/pull/1556
CVE-2023-45679: https://github.com/nothings/stb/pull/1557
CVE-2023-45664: https://github.com/nothings/stb/pull/1545
CVE-2023-45666: https://github.com/nothings/stb/pull/1549
CVE-2023-45667: https://github.com/nothings/stb/pull/1551
CVE-2023-45675: https://github.com/nothings/stb/pull/1553
CVE-2023-45680: https://github.com/nothings/stb/pull/1558
CVE-2023-45681: https://github.com/nothings/stb/pull/1559
CVE-2023-45682: https://github.com/nothings/stb/pull/1560
CVE-2023-45661: https://github.com/nothings/stb/pull/1539
CVE-2023-45662: https://github.com/nothings/stb/pull/1541
CVE-2023-45663: https://github.com/nothings/stb/pull/1543

It also seems that there are a variety of other issues that GHSL found which (I guess) weren't necessarily security relevant and didn't get CVEs:

https://github.com/nothings/stb/pulls/JarLob
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 01:27:30 UTC
These ones have the potential to be uniquely nasty given that stb's format lends itself very well to downstream bundling/vendoring.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-07 06:10:38 UTC
None of these PRs have made it into the 20240201 release.