Control: forwarded -1 https://github.com/mchehab/zbar/issues/263
On Mon, 11 Sep 2023 21:15:17 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <j...@inutil.org> wrote: > Source: zbar > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for zbar. > > CVE-2023-40889[0]: > | A heap-based buffer overflow exists in the qr_reader_match_centers > | function of ZBar 0.23.90. Specially crafted QR codes may lead to > | information disclosure and/or arbitrary code execution. To trigger > | this vulnerability, an attacker can digitally input the malicious QR > | code, or prepare it to be physically scanned by the vulnerable > | scanner. > > https://hackmd.io/@cspl/B1ZkFZv23 > > CVE-2023-40890[1]: > | A stack-based buffer overflow vulnerability exists in the > | lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes > | may lead to information disclosure and/or arbitrary code execution. > | To trigger this vulnerability, an attacker can digitally input the > | malicious QR code, or prepare it to be physically scanned by the > | vulnerable scanner. > > https://hackmd.io/@cspl/H1PxPAUnn > > It is unclear if these were reported upstream, could you please sync > up with them? Upstream bug report marked in the Forwarded: field. > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-40889 > https://www.cve.org/CVERecord?id=CVE-2023-40889 > [1] https://security-tracker.debian.org/tracker/CVE-2023-40890 > https://www.cve.org/CVERecord?id=CVE-2023-40890 > > Please adjust the affected versions in the BTS as needed. Currently it is unclear about all the affected versions, so I will leave this part as-is for now. Thanks, Boyuan Yang
signature.asc
Description: This is a digitally signed message part
