[Debian-med-packaging] Bug#1112133: biosig: CVE-2025-54494 CVE-2025-54493 CVE-2025-54492 CVE-2025-54491 CVE-2025-54490 CVE-2025-54489 CVE-2025-54488 CVE-2025-54487 CVE-2025-54486 CVE-2025-54485 CVE-2025-54484 CVE-2025-54483 CVE-2025-54482 CVE-2025-54481 CVE-2025-54480 CVE-2025-54462 CVE-2025-53853 CVE-2025-53557 CVE-2025-53518 CVE-2025-53511 CVE-2025-52581 CVE-2025-52461 CVE-2025-48005 CVE-2025-46411
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 26 20:18:31 BST 2025
Source: biosig
Version: 3.9.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for biosig.
CVE-2025-54494[0]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 9205 of biosig.c on the current master branch (35a819fa), when the
| Tag is 133: else if (tag==133) //0x85
| { curPos += ifread(buf,1,len,hdr);
CVE-2025-54493[1]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 9184 of biosig.c on the current master branch (35a819fa), when the
| Tag is 131: else if (tag==131) //0x83
| { // Patient Age if
| (len!=7) fprintf(stderr,"Warning MFER tag131 incorrect length
| %i!=7\n",len); curPos += ifread(buf,1,len,hdr);
CVE-2025-54492[2]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 9141 of biosig.c on the current master branch (35a819fa), when the
| Tag is 67: else if (tag==67) //0x43: Sample
| skew { int skew=0; // [1]
| curPos += ifread(&skew, 1, len,hdr); In this case, the address of
| the newly-defined integer `skew` \[1\] is overflowed instead of
| `buf`. This means a stack overflow can occur using much smaller
| values of `len` in this code path.
CVE-2025-54491[3]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 9191 of biosig.c on the current master branch (35a819fa), when the
| Tag is 65: else if (tag==65) //0x41: patient
| event { // event table
| curPos += ifread(buf,1,len,hdr);
CVE-2025-54490[4]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 9090 of biosig.c on the current master branch (35a819fa), when the
| Tag is 64: else if (tag==64) //0x40
| { // preamble char
| tmp[256]; // [1] curPos +=
| ifread(tmp,1,len,hdr); In this case, the overflowed buffer is the
| newly-declared `tmp` \[1\] instead of `buf`. While `tmp` is larger
| than `buf`, having a size of 256 bytes, a stack overflow can still
| occur in cases where `len` is encoded using multiple octets and is
| greater than 256.
CVE-2025-54489[5]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8970 of biosig.c on the current master branch (35a819fa), when the
| Tag is 63: else if (tag==63) {
| uint8_t tag2=255, len2=255; count = 0;
| while ((count<len) && !(FlagInfiniteLength && len2==0 && tag2==0)){
| curPos += ifread(&tag2,1,1,hdr); curPos +=
| ifread(&len2,1,1,hdr); if
| (VERBOSE_LEVEL==9)
| fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i
| curPos=%i %li
| count=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count);
| if (FlagInfiniteLength && len2==0 && tag2==0) break;
| count += (2+len2); curPos +=
| ifread(&buf,1,len2,hdr); Here, the number of bytes read is not
| the Data Length decoded from the current frame in the file (`len`)
| but rather is a new length contained in a single octet read from the
| same input file (`len2`). Despite this, a stack-based buffer
| overflow condition can still occur, as the destination buffer is
| still `buf`, which has a size of only 128 bytes, while `len2` can be
| as large as 255.
CVE-2025-54488[6]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8850 of biosig.c on the current master branch (35a819fa), when the
| Tag is 13: else if (tag==13) {
| if (len>8) fprintf(stderr,"Warning MFER tag13 incorrect length
| %i>8\n",len); curPos += ifread(&buf,1,len,hdr);
CVE-2025-54487[7]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8842 of biosig.c on the current master branch (35a819fa), when the
| Tag is 12: else if (tag==12) //0x0C
| { // sampling resolution
| if (len>6) fprintf(stderr,"Warning MFER tag12 incorrect length
| %i>6\n",len); val32 = 0;
| int8_t v8; curPos +=
| ifread(&UnitCode,1,1,hdr); curPos +=
| ifread(&v8,1,1,hdr); curPos +=
| ifread(buf,1,len-2,hdr); In addition to values of `len` greater
| than 130 triggering a buffer overflow, a value of `len` smaller than
| 2 will also trigger a buffer overflow due to an integer underflow
| when computing `len-2` in this code path.
CVE-2025-54486[8]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8824 of biosig.c on the current master branch (35a819fa), when the
| Tag is 11: else if (tag==11) //0x0B
| { // Fs if (len>6)
| fprintf(stderr,"Warning MFER tag11 incorrect length %i>6\n",len);
| double fval; curPos += ifread(buf,1,len,hdr);
CVE-2025-54485[9]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8785 of biosig.c on the current master branch (35a819fa), when the
| Tag is 8: else if (tag==8) {
| if (len>2) fprintf(stderr,"Warning MFER tag8 incorrect length
| %i>2\n",len); curPos += ifread(buf,1,len,hdr);
CVE-2025-54484[10]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8779 of biosig.c on the current master branch (35a819fa), when the
| Tag is 6: else if (tag==6)
| // 0x06 "number of sequences" {
| // NRec if (len>4)
| fprintf(stderr,"Warning MFER tag6 incorrect length %i>4\n",len);
| curPos += ifread(buf,1,len,hdr);
CVE-2025-54483[11]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8759 of biosig.c on the current master branch (35a819fa), when the
| Tag is 5: else if (tag==5)
| //0x05: number of channels {
| uint16_t oldNS=hdr->NS; if
| (len>4) fprintf(stderr,"Warning MFER tag5 incorrect length
| %i>4\n",len); curPos +=
| ifread(buf,1,len,hdr);
CVE-2025-54482[12]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8751 of biosig.c on the current master branch (35a819fa), when the
| Tag is 4: else if (tag==4) {
| // SPR if (len>4)
| fprintf(stderr,"Warning MFER tag4 incorrect length %i>4\n",len);
| curPos += ifread(buf,1,len,hdr);
CVE-2025-54481[13]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8744 of biosig.c on the current master branch (35a819fa), when the
| Tag is 3: else if (tag==3) {
| // character code char
| v[17]; // [1] if
| (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length
| %i>16\n",len); curPos +=
| ifread(&v,1,len,hdr); v[len]
| = 0; In this case, the overflowed buffer is the newly-declared
| `v` \[1\] instead of `buf`. Since `v` is only 17 bytes large, much
| smaller values of `len` (even those encoded using a single octet)
| can trigger an overflow in this code path.
CVE-2025-54480[14]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.This vulnerability manifests on line
| 8719 of biosig.c on the current master branch (35a819fa), when the
| Tag is 0: if (tag==0) {
| if (len!=1) fprintf(stderr,"Warning MFER tag0 incorrect length
| %i!=1\n",len); curPos +=
| ifread(buf,1,len,hdr); }
CVE-2025-54462[15]:
| A heap-based buffer overflow vulnerability exists in the Nex parsing
| functionality of The Biosig Project libbiosig 3.9.0 and Master
| Branch (35a819fa). A specially crafted .nex file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
CVE-2025-53853[16]:
| A heap-based buffer overflow vulnerability exists in the ISHNE
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted ISHNE ECG annotations
| file can lead to arbitrary code execution. An attacker can provide a
| malicious file to trigger this vulnerability.
CVE-2025-53557[17]:
| A heap-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
CVE-2025-53518[18]:
| An integer overflow vulnerability exists in the ABF parsing
| functionality of The Biosig Project libbiosig 3.9.0 and Master
| Branch (35a819fa). A specially crafted ABF file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
CVE-2025-53511[19]:
| A heap-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
CVE-2025-52581[20]:
| An integer overflow vulnerability exists in the GDF parsing
| functionality of The Biosig Project libbiosig 3.9.0 and Master
| Branch (35a819fa). A specially crafted GDF file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
CVE-2025-52461[21]:
| An out-of-bounds read vulnerability exists in the Nex parsing
| functionality of The Biosig Project libbiosig 3.9.0 and Master
| Branch (35a819fa). A specially crafted .nex file can lead to an
| information leak. An attacker can provide a malicious file to
| trigger this vulnerability.
CVE-2025-48005[22]:
| A heap-based buffer overflow vulnerability exists in the RHS2000
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted RHS2000 file can lead
| to arbitrary code execution. An attacker can provide a malicious
| file to trigger this vulnerability.
CVE-2025-46411[23]:
| A stack-based buffer overflow vulnerability exists in the MFER
| parsing functionality of The Biosig Project libbiosig 3.9.0 and
| Master Branch (35a819fa). A specially crafted MFER file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54494
https://www.cve.org/CVERecord?id=CVE-2025-54494
[1] https://security-tracker.debian.org/tracker/CVE-2025-54493
https://www.cve.org/CVERecord?id=CVE-2025-54493
[2] https://security-tracker.debian.org/tracker/CVE-2025-54492
https://www.cve.org/CVERecord?id=CVE-2025-54492
[3] https://security-tracker.debian.org/tracker/CVE-2025-54491
https://www.cve.org/CVERecord?id=CVE-2025-54491
[4] https://security-tracker.debian.org/tracker/CVE-2025-54490
https://www.cve.org/CVERecord?id=CVE-2025-54490
[5] https://security-tracker.debian.org/tracker/CVE-2025-54489
https://www.cve.org/CVERecord?id=CVE-2025-54489
[6] https://security-tracker.debian.org/tracker/CVE-2025-54488
https://www.cve.org/CVERecord?id=CVE-2025-54488
[7] https://security-tracker.debian.org/tracker/CVE-2025-54487
https://www.cve.org/CVERecord?id=CVE-2025-54487
[8] https://security-tracker.debian.org/tracker/CVE-2025-54486
https://www.cve.org/CVERecord?id=CVE-2025-54486
[9] https://security-tracker.debian.org/tracker/CVE-2025-54485
https://www.cve.org/CVERecord?id=CVE-2025-54485
[10] https://security-tracker.debian.org/tracker/CVE-2025-54484
https://www.cve.org/CVERecord?id=CVE-2025-54484
[11] https://security-tracker.debian.org/tracker/CVE-2025-54483
https://www.cve.org/CVERecord?id=CVE-2025-54483
[12] https://security-tracker.debian.org/tracker/CVE-2025-54482
https://www.cve.org/CVERecord?id=CVE-2025-54482
[13] https://security-tracker.debian.org/tracker/CVE-2025-54481
https://www.cve.org/CVERecord?id=CVE-2025-54481
[14] https://security-tracker.debian.org/tracker/CVE-2025-54480
https://www.cve.org/CVERecord?id=CVE-2025-54480
[15] https://security-tracker.debian.org/tracker/CVE-2025-54462
https://www.cve.org/CVERecord?id=CVE-2025-54462
[16] https://security-tracker.debian.org/tracker/CVE-2025-53853
https://www.cve.org/CVERecord?id=CVE-2025-53853
[17] https://security-tracker.debian.org/tracker/CVE-2025-53557
https://www.cve.org/CVERecord?id=CVE-2025-53557
[18] https://security-tracker.debian.org/tracker/CVE-2025-53518
https://www.cve.org/CVERecord?id=CVE-2025-53518
[19] https://security-tracker.debian.org/tracker/CVE-2025-53511
https://www.cve.org/CVERecord?id=CVE-2025-53511
[20] https://security-tracker.debian.org/tracker/CVE-2025-52581
https://www.cve.org/CVERecord?id=CVE-2025-52581
[21] https://security-tracker.debian.org/tracker/CVE-2025-52461
https://www.cve.org/CVERecord?id=CVE-2025-52461
[22] https://security-tracker.debian.org/tracker/CVE-2025-48005
https://www.cve.org/CVERecord?id=CVE-2025-48005
[23] https://security-tracker.debian.org/tracker/CVE-2025-46411
https://www.cve.org/CVERecord?id=CVE-2025-46411
[24] https://sourceforge.net/p/biosig/mailman/message/59224259/
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list