[Debichem-devel] Bug#1059277: openbabel: CVE-2022-37331 CVE-2022-41793 CVE-2022-42885 CVE-2022-43467 CVE-2022-43607 CVE-2022-44451 CVE-2022-46280 CVE-2022-46289 CVE-2022-46290 CVE-2022-46291 CVE-2022-46292 CVE-2022-46293 CVE-2022-46294 CVE-2022-46295

Moritz Mühlenhoff jmm at inutil.org
Fri Dec 22 12:06:17 GMT 2023


Source: openbabel
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for openbabel.

It's unclear if these were ever properly reported upstream/fixed,
could you please sync up with the upstream developers?

CVE-2022-37331[0]:
| An out-of-bounds write vulnerability exists in the Gaussian format
| orientation functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672

CVE-2022-41793[1]:
| An out-of-bounds write vulnerability exists in the CSR format title
| functionality of Open Babel 3.1.1 and master commit 530dbfa3. A
| specially crafted malformed file can lead to arbitrary code
| execution. An attacker can provide a malicious file to trigger this
| vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667

CVE-2022-42885[2]:
| A use of uninitialized pointer vulnerability exists in the GRO
| format res functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668

CVE-2022-43467[3]:
| An out-of-bounds write vulnerability exists in the PQS format
| coord_file functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671

CVE-2022-43607[4]:
| An out-of-bounds write vulnerability exists in the MOL2 format
| attribute and value functionality of Open Babel 3.1.1 and master
| commit 530dbfa3. A specially crafted malformed file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664

CVE-2022-44451[5]:
| A use of uninitialized pointer vulnerability exists in the MSI
| format atom functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669

CVE-2022-46280[6]:
| A use of uninitialized pointer vulnerability exists in the PQS
| format pFormat functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670

CVE-2022-46289[7]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.nAtoms calculation wrap-around, leading to a
| small buffer allocation

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665

CVE-2022-46290[8]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.The loop that stores the coordinates does not
| check its index against nAtoms

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665

CVE-2022-46291[9]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MSI file format

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666

CVE-2022-46292[10]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Unit Cell Translation section

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666

CVE-2022-46293[11]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Final Point and Derivatives section

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666

CVE-2022-46294[12]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC Cartesian file
| format

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666

CVE-2022-46295[13]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the Gaussian file format

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-37331
    https://www.cve.org/CVERecord?id=CVE-2022-37331
[1] https://security-tracker.debian.org/tracker/CVE-2022-41793
    https://www.cve.org/CVERecord?id=CVE-2022-41793
[2] https://security-tracker.debian.org/tracker/CVE-2022-42885
    https://www.cve.org/CVERecord?id=CVE-2022-42885
[3] https://security-tracker.debian.org/tracker/CVE-2022-43467
    https://www.cve.org/CVERecord?id=CVE-2022-43467
[4] https://security-tracker.debian.org/tracker/CVE-2022-43607
    https://www.cve.org/CVERecord?id=CVE-2022-43607
[5] https://security-tracker.debian.org/tracker/CVE-2022-44451
    https://www.cve.org/CVERecord?id=CVE-2022-44451
[6] https://security-tracker.debian.org/tracker/CVE-2022-46280
    https://www.cve.org/CVERecord?id=CVE-2022-46280
[7] https://security-tracker.debian.org/tracker/CVE-2022-46289
    https://www.cve.org/CVERecord?id=CVE-2022-46289
[8] https://security-tracker.debian.org/tracker/CVE-2022-46290
    https://www.cve.org/CVERecord?id=CVE-2022-46290
[9] https://security-tracker.debian.org/tracker/CVE-2022-46291
    https://www.cve.org/CVERecord?id=CVE-2022-46291
[10] https://security-tracker.debian.org/tracker/CVE-2022-46292
    https://www.cve.org/CVERecord?id=CVE-2022-46292
[11] https://security-tracker.debian.org/tracker/CVE-2022-46293
    https://www.cve.org/CVERecord?id=CVE-2022-46293
[12] https://security-tracker.debian.org/tracker/CVE-2022-46294
    https://www.cve.org/CVERecord?id=CVE-2022-46294
[13] https://security-tracker.debian.org/tracker/CVE-2022-46295
    https://www.cve.org/CVERecord?id=CVE-2022-46295

Please adjust the affected versions in the BTS as needed.



More information about the Debichem-devel mailing list