[Debichem-devel] Bug#1059277: openbabel: CVE-2022-37331 CVE-2022-41793 CVE-2022-42885 CVE-2022-43467 CVE-2022-43607 CVE-2022-44451 CVE-2022-46280 CVE-2022-46289 CVE-2022-46290 CVE-2022-46291 CVE-2022-46292 CVE-2022-46293 CVE-2022-46294 CVE-2022-46295
Moritz Mühlenhoff
jmm at inutil.org
Fri Dec 22 12:06:17 GMT 2023
Source: openbabel
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openbabel.
It's unclear if these were ever properly reported upstream/fixed,
could you please sync up with the upstream developers?
CVE-2022-37331[0]:
| An out-of-bounds write vulnerability exists in the Gaussian format
| orientation functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672
CVE-2022-41793[1]:
| An out-of-bounds write vulnerability exists in the CSR format title
| functionality of Open Babel 3.1.1 and master commit 530dbfa3. A
| specially crafted malformed file can lead to arbitrary code
| execution. An attacker can provide a malicious file to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667
CVE-2022-42885[2]:
| A use of uninitialized pointer vulnerability exists in the GRO
| format res functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668
CVE-2022-43467[3]:
| An out-of-bounds write vulnerability exists in the PQS format
| coord_file functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671
CVE-2022-43607[4]:
| An out-of-bounds write vulnerability exists in the MOL2 format
| attribute and value functionality of Open Babel 3.1.1 and master
| commit 530dbfa3. A specially crafted malformed file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664
CVE-2022-44451[5]:
| A use of uninitialized pointer vulnerability exists in the MSI
| format atom functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669
CVE-2022-46280[6]:
| A use of uninitialized pointer vulnerability exists in the PQS
| format pFormat functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670
CVE-2022-46289[7]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.nAtoms calculation wrap-around, leading to a
| small buffer allocation
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665
CVE-2022-46290[8]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.The loop that stores the coordinates does not
| check its index against nAtoms
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665
CVE-2022-46291[9]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MSI file format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46292[10]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Unit Cell Translation section
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46293[11]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Final Point and Derivatives section
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46294[12]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC Cartesian file
| format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46295[13]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the Gaussian file format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37331
https://www.cve.org/CVERecord?id=CVE-2022-37331
[1] https://security-tracker.debian.org/tracker/CVE-2022-41793
https://www.cve.org/CVERecord?id=CVE-2022-41793
[2] https://security-tracker.debian.org/tracker/CVE-2022-42885
https://www.cve.org/CVERecord?id=CVE-2022-42885
[3] https://security-tracker.debian.org/tracker/CVE-2022-43467
https://www.cve.org/CVERecord?id=CVE-2022-43467
[4] https://security-tracker.debian.org/tracker/CVE-2022-43607
https://www.cve.org/CVERecord?id=CVE-2022-43607
[5] https://security-tracker.debian.org/tracker/CVE-2022-44451
https://www.cve.org/CVERecord?id=CVE-2022-44451
[6] https://security-tracker.debian.org/tracker/CVE-2022-46280
https://www.cve.org/CVERecord?id=CVE-2022-46280
[7] https://security-tracker.debian.org/tracker/CVE-2022-46289
https://www.cve.org/CVERecord?id=CVE-2022-46289
[8] https://security-tracker.debian.org/tracker/CVE-2022-46290
https://www.cve.org/CVERecord?id=CVE-2022-46290
[9] https://security-tracker.debian.org/tracker/CVE-2022-46291
https://www.cve.org/CVERecord?id=CVE-2022-46291
[10] https://security-tracker.debian.org/tracker/CVE-2022-46292
https://www.cve.org/CVERecord?id=CVE-2022-46292
[11] https://security-tracker.debian.org/tracker/CVE-2022-46293
https://www.cve.org/CVERecord?id=CVE-2022-46293
[12] https://security-tracker.debian.org/tracker/CVE-2022-46294
https://www.cve.org/CVERecord?id=CVE-2022-46294
[13] https://security-tracker.debian.org/tracker/CVE-2022-46295
https://www.cve.org/CVERecord?id=CVE-2022-46295
Please adjust the affected versions in the BTS as needed.
More information about the Debichem-devel
mailing list