Source: openbabel X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for openbabel. It's unclear if these were ever properly reported upstream/fixed, could you please sync up with the upstream developers? CVE-2022-37331[0]: | An out-of-bounds write vulnerability exists in the Gaussian format | orientation functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672 CVE-2022-41793[1]: | An out-of-bounds write vulnerability exists in the CSR format title | functionality of Open Babel 3.1.1 and master commit 530dbfa3. A | specially crafted malformed file can lead to arbitrary code | execution. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667 CVE-2022-42885[2]: | A use of uninitialized pointer vulnerability exists in the GRO | format res functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668 CVE-2022-43467[3]: | An out-of-bounds write vulnerability exists in the PQS format | coord_file functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671 CVE-2022-43607[4]: | An out-of-bounds write vulnerability exists in the MOL2 format | attribute and value functionality of Open Babel 3.1.1 and master | commit 530dbfa3. A specially crafted malformed file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664 CVE-2022-44451[5]: | A use of uninitialized pointer vulnerability exists in the MSI | format atom functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669 CVE-2022-46280[6]: | A use of uninitialized pointer vulnerability exists in the PQS | format pFormat functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670 CVE-2022-46289[7]: | Multiple out-of-bounds write vulnerabilities exist in the ORCA | format nAtoms functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially-crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability.nAtoms calculation wrap-around, leading to a | small buffer allocation https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46290[8]: | Multiple out-of-bounds write vulnerabilities exist in the ORCA | format nAtoms functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially-crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability.The loop that stores the coordinates does not | check its index against nAtoms https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46291[9]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MSI file format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46292[10]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC file format, | inside the Unit Cell Translation section https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46293[11]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC file format, | inside the Final Point and Derivatives section https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46294[12]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC Cartesian file | format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46295[13]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the Gaussian file format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37331 https://www.cve.org/CVERecord?id=CVE-2022-37331 [1] https://security-tracker.debian.org/tracker/CVE-2022-41793 https://www.cve.org/CVERecord?id=CVE-2022-41793 [2] https://security-tracker.debian.org/tracker/CVE-2022-42885 https://www.cve.org/CVERecord?id=CVE-2022-42885 [3] https://security-tracker.debian.org/tracker/CVE-2022-43467 https://www.cve.org/CVERecord?id=CVE-2022-43467 [4] https://security-tracker.debian.org/tracker/CVE-2022-43607 https://www.cve.org/CVERecord?id=CVE-2022-43607 [5] https://security-tracker.debian.org/tracker/CVE-2022-44451 https://www.cve.org/CVERecord?id=CVE-2022-44451 [6] https://security-tracker.debian.org/tracker/CVE-2022-46280 https://www.cve.org/CVERecord?id=CVE-2022-46280 [7] https://security-tracker.debian.org/tracker/CVE-2022-46289 https://www.cve.org/CVERecord?id=CVE-2022-46289 [8] https://security-tracker.debian.org/tracker/CVE-2022-46290 https://www.cve.org/CVERecord?id=CVE-2022-46290 [9] https://security-tracker.debian.org/tracker/CVE-2022-46291 https://www.cve.org/CVERecord?id=CVE-2022-46291 [10] https://security-tracker.debian.org/tracker/CVE-2022-46292 https://www.cve.org/CVERecord?id=CVE-2022-46292 [11] https://security-tracker.debian.org/tracker/CVE-2022-46293 https://www.cve.org/CVERecord?id=CVE-2022-46293 [12] https://security-tracker.debian.org/tracker/CVE-2022-46294 https://www.cve.org/CVERecord?id=CVE-2022-46294 [13] https://security-tracker.debian.org/tracker/CVE-2022-46295 https://www.cve.org/CVERecord?id=CVE-2022-46295 Please adjust the affected versions in the BTS as needed.