CVE-2023-40889 (https://hackmd.io/@cspl/B1ZkFZv23): A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. CVE-2023-40890 (https://hackmd.io/@cspl/H1PxPAUnn): A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner. A third party has reported upstream, and it seems there some potential patches: https://github.com/mchehab/zbar/issues/263
Looks like we got the fixed 0.23.93 in https://github.com/gentoo/gentoo/pull/37432, thanks tobbez!
Fixes are: https://github.com/mchehab/zbar/commit/012a030250a203e5529d09caedea7ad7173dacfd https://github.com/mchehab/zbar/commit/f8f8f5ccf1e8d68c3700e0f0b3d895cdf03ce679
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55e6d66ba81287916b224aae9d87a438683c5c85 commit 55e6d66ba81287916b224aae9d87a438683c5c85 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-10-07 19:10:26 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-10-07 19:11:50 +0000 media-gfx/zbar: drop 0.23.92 Bug: https://bugs.gentoo.org/918543 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-gfx/zbar/Manifest | 1 - media-gfx/zbar/zbar-0.23.92.ebuild | 235 ------------------------------------- 2 files changed, 236 deletions(-)
