SAMtools and HTSlib version 1.22.1 are now available from GitHub and SourceForge. This fixes crashes that could happen when reading malformed CRAM files, or when writing files with very long secondary alignments as CRAM 3.1. It also fixes some issues that caused builds to fail on some older platforms, or where libcurl was unavailable.
https://github.com/samtools/htslib/releases/tag/1.22.1 https://github.com/samtools/samtools/releases/tag/1.22.1 https://sourceforge.net/projects/samtools/ The main changes are listed below: ------------------------------------------------------------------------- htslib - changes v1.22.1 ------------------------------------------------------------------------- Bug Fixes --------- * SECURITY fix: Prevent CRAM byte_array decoder from overflowing its output buffer. This could be triggered by certain malformed CRAM inputs. (PR #1934) * Two fixes for crashes reported when trying to save data with very long alignment records with sequence '*' as CRAM 3.1: - The htscodecs submodule is updated to v1.6.4. This includes a fix to the rANS encoder to prevent it from failing on these inputs. (PR #1935. Reported by Martin Pollard) - Improved error handling in cram_compress_block2(). If the previously-chosen CRAM compression method starts to fail, it will now try other methods instead of giving up immediately. (PR #1931. Reported by Martin Pollard) * Fix warnings due to the wrong datatype being passed to curl_easy_setopt() (PR #1925. Thanks to John Marshall) * Prevent instances of `memcpy(out, NULL, 0)`, which is strictly undefined behaviour. (PR #1930. Thanks to Ben Lawrence). Build Changes ------------- * Fixed compilation against older glibc / macOS SDKs that incorrectly suppressed some symbols if _XOPEN_SOURCE was defined. (PR #1928. Reported by John Marshall) * Fixed ref-cache configure check for libcurl, so that if libcurl is not available, or turned off by `./configure --disable-libcurl`, the `ref-cache` build will be automatically disabled as well. (PR #1929, fixes #1926. Reported by biounix) ------------------------------------------------------------------------- samtools - changes v1.22.1 ------------------------------------------------------------------------- Bug fixes: * SECURITY: Fix use-after-free bug in `samtools mpileup -a` due to reference sequences being discarded too early. This could happen when the `-a` option was used, and all the alignments for one of the references started at the same position. This caused mpileup to try to load the next reference before it had finished writing data for the previous one out. (PR #2229, fixes #2227. Reported by Pouya Kheradpour) * This release bundles htslib-1.22.1 and htscodecs v1.6.4. Fixes a possible buffer overflow on some invalid CRAM inputs; and a failure when trying to save data with very long alignment records with sequence '*' as CRAM version 3.1. See the HTSlib and htscodecs NEWS files for details. Documentation: * Clarify that `-@` starts additional threads in `samtools index` help, and fix formatting issues in the `samtools reset` manual page. (PR #2225) Build changes: * Added settings to limit memory used by `samtools sort` when running tests. (PR #2226) ---------------------------------------------------------------------- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is Wellcome Sanger Institute, Wellcome Genome Campus, Hinxton, CB10 1SA. _______________________________________________ Samtools-help mailing list Samtools-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/samtools-help
