CVE-2023-40889

Name
CVE-2023-40889
Description
A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackmd.io/@cspl/B1ZkFZv23
https://hackmd.io/%40cspl/B1ZkFZv23
cve@mitre.org https://lists.debian.org/debian-lts-announce/2023/12/msg00001.html
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25LZZQJGGZRPLKTRNRNOTAFQJIPS7WRP/
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DC7V5YCLCPB36J2KY6WLZCABFLBRB665/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:zbar_project:zbar:0.23.90:*:*:*:*:*:*:* zbar == None == 0.23.90

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
zbar 3.19-community 0.23.93-r0 Diego Queiroz <diego.queiroz@gmail.com> fixed