Source: zbar X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for zbar. CVE-2023-40889[0]: | A heap-based buffer overflow exists in the qr_reader_match_centers | function of ZBar 0.23.90. Specially crafted QR codes may lead to | information disclosure and/or arbitrary code execution. To trigger | this vulnerability, an attacker can digitally input the malicious QR | code, or prepare it to be physically scanned by the vulnerable | scanner. https://hackmd.io/@cspl/B1ZkFZv23 CVE-2023-40890[1]: | A stack-based buffer overflow vulnerability exists in the | lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes | may lead to information disclosure and/or arbitrary code execution. | To trigger this vulnerability, an attacker can digitally input the | malicious QR code, or prepare it to be physically scanned by the | vulnerable scanner. https://hackmd.io/@cspl/H1PxPAUnn It is unclear if these were reported upstream, could you please sync up with them? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40889 https://www.cve.org/CVERecord?id=CVE-2023-40889 [1] https://security-tracker.debian.org/tracker/CVE-2023-40890 https://www.cve.org/CVERecord?id=CVE-2023-40890 Please adjust the affected versions in the BTS as needed.
