[From nobody Fri Jun 5 09:13:06 2026 Received: (at submit) by bugs.debian.org; 22 Dec 2023 12:06:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=4.0 tests=BAYES_00,FOURLA, FVGT_m_MULTI_ODD,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 116; hammy, 149; neutral, 84; spammy, 1. spammytokens:0.982-+--UD:This hammytokens:0.000-+--H*RU:inutil.org, 0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org> Received: from inutil.org ([109.69.64.57]:41176 helo=viruvalge.hosting.plutex.de) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from <jmm@inutil.org>) id 1rGeII-009iCL-53 for submit@bugs.debian.org; Fri, 22 Dec 2023 12:06:23 +0000 Received: by viruvalge.hosting.plutex.de (Postfix, from userid 112) id 425F8403DB; Fri, 22 Dec 2023 13:06:20 +0100 (CET) Received: from hullmann.fritz.box (p548dc64c.dip0.t-ipconnect.de [84.141.198.76]) by viruvalge.hosting.plutex.de (Postfix) with ESMTPSA id C0AED40240 for <submit@bugs.debian.org>; Fri, 22 Dec 2023 13:06:19 +0100 (CET) Received: from jmm by hullmann.fritz.box with local (Exim 4.96) (envelope-from <jmm@hullmann.westfalen.local>) id 1rGeID-0004yu-21 for submit@bugs.debian.org; Fri, 22 Dec 2023 13:06:17 +0100 Date: Fri, 22 Dec 2023 13:06:17 +0100 To: submit@bugs.debian.org Subject: openbabel: CVE-2022-37331 CVE-2022-41793 CVE-2022-42885 CVE-2022-43467 CVE-2022-43607 CVE-2022-44451 CVE-2022-46280 CVE-2022-46289 CVE-2022-46290 CVE-2022-46291 CVE-2022-46292 CVE-2022-46293 CVE-2022-46294 CVE-2022-46295 Message-ID: <ZYV7uTMYZODN75DW@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: openbabel X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for openbabel. It's unclear if these were ever properly reported upstream/fixed, could you please sync up with the upstream developers? CVE-2022-37331[0]: | An out-of-bounds write vulnerability exists in the Gaussian format | orientation functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672 CVE-2022-41793[1]: | An out-of-bounds write vulnerability exists in the CSR format title | functionality of Open Babel 3.1.1 and master commit 530dbfa3. A | specially crafted malformed file can lead to arbitrary code | execution. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667 CVE-2022-42885[2]: | A use of uninitialized pointer vulnerability exists in the GRO | format res functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668 CVE-2022-43467[3]: | An out-of-bounds write vulnerability exists in the PQS format | coord_file functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671 CVE-2022-43607[4]: | An out-of-bounds write vulnerability exists in the MOL2 format | attribute and value functionality of Open Babel 3.1.1 and master | commit 530dbfa3. A specially crafted malformed file can lead to | arbitrary code execution. An attacker can provide a malicious file | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664 CVE-2022-44451[5]: | A use of uninitialized pointer vulnerability exists in the MSI | format atom functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669 CVE-2022-46280[6]: | A use of uninitialized pointer vulnerability exists in the PQS | format pFormat functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670 CVE-2022-46289[7]: | Multiple out-of-bounds write vulnerabilities exist in the ORCA | format nAtoms functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially-crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability.nAtoms calculation wrap-around, leading to a | small buffer allocation https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46290[8]: | Multiple out-of-bounds write vulnerabilities exist in the ORCA | format nAtoms functionality of Open Babel 3.1.1 and master commit | 530dbfa3. A specially-crafted malformed file can lead to arbitrary | code execution. An attacker can provide a malicious file to trigger | this vulnerability.The loop that stores the coordinates does not | check its index against nAtoms https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665 CVE-2022-46291[9]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MSI file format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46292[10]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC file format, | inside the Unit Cell Translation section https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46293[11]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC file format, | inside the Final Point and Derivatives section https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46294[12]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the MOPAC Cartesian file | format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 CVE-2022-46295[13]: | Multiple out-of-bounds write vulnerabilities exist in the | translationVectors parsing functionality in multiple supported | formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially- | crafted malformed file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger this | vulnerability.This vulnerability affects the Gaussian file format https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37331 https://www.cve.org/CVERecord?id=CVE-2022-37331 [1] https://security-tracker.debian.org/tracker/CVE-2022-41793 https://www.cve.org/CVERecord?id=CVE-2022-41793 [2] https://security-tracker.debian.org/tracker/CVE-2022-42885 https://www.cve.org/CVERecord?id=CVE-2022-42885 [3] https://security-tracker.debian.org/tracker/CVE-2022-43467 https://www.cve.org/CVERecord?id=CVE-2022-43467 [4] https://security-tracker.debian.org/tracker/CVE-2022-43607 https://www.cve.org/CVERecord?id=CVE-2022-43607 [5] https://security-tracker.debian.org/tracker/CVE-2022-44451 https://www.cve.org/CVERecord?id=CVE-2022-44451 [6] https://security-tracker.debian.org/tracker/CVE-2022-46280 https://www.cve.org/CVERecord?id=CVE-2022-46280 [7] https://security-tracker.debian.org/tracker/CVE-2022-46289 https://www.cve.org/CVERecord?id=CVE-2022-46289 [8] https://security-tracker.debian.org/tracker/CVE-2022-46290 https://www.cve.org/CVERecord?id=CVE-2022-46290 [9] https://security-tracker.debian.org/tracker/CVE-2022-46291 https://www.cve.org/CVERecord?id=CVE-2022-46291 [10] https://security-tracker.debian.org/tracker/CVE-2022-46292 https://www.cve.org/CVERecord?id=CVE-2022-46292 [11] https://security-tracker.debian.org/tracker/CVE-2022-46293 https://www.cve.org/CVERecord?id=CVE-2022-46293 [12] https://security-tracker.debian.org/tracker/CVE-2022-46294 https://www.cve.org/CVERecord?id=CVE-2022-46294 [13] https://security-tracker.debian.org/tracker/CVE-2022-46295 https://www.cve.org/CVERecord?id=CVE-2022-46295 Please adjust the affected versions in the BTS as needed. ]