CVE-2023-45663

CVE-2023-45663

Name

CVE-2023-45663

Description

stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L5936C10-L5936C20
MISC	https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L7221
MISC	https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1664
MISC	https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/

Type

URI

MISC

https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L5936C10-L5936C20

MISC

https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L7221

MISC

https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_image.h#L1664

MISC

https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVQ7ONFH5GWLMXYEAJG32A3EUKUCEVCR/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVABVF4GEM6BYD5L4L64RCRSXUHY6LGN/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMXKOKPP4BKTNUTF5KSRDQAWOUILQZNO/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nothings:stb_image.h:2.28:::::::*`	stb_image.h	== None	== 2.28

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nothings:stb_image.h:2.28:*:*:*:*:*:*:*

stb_image.h

== None

== 2.28

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
stb	edge-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed
stb	3.23-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed
stb	3.22-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed
stb	3.21-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed
stb	3.20-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed
stb	3.19-community	0_git20231012-r0	Simon Zeni <simon@bl4ckb0ne.ca>	fixed

Source package

Branch

Version

Maintainer

Status

stb

edge-community

0_git20231012-r0

Simon Zeni <simon@bl4ckb0ne.ca>

fixed

stb

3.23-community