SAMtools, BCFtools and HTSlib version 1.23.1 are now available from GitHub and SourceForge. This fixes crashes and other undefined behaviour that could happen when reading malformed CRAM files, or reading malformed GZI indexes. Due to the risk that these bugs could be exploited to take control of programs reading such files, we strongly recommend upgrading to this version, especially when processing data from untrusted sources. These fixes have also been back-ported to HTSlib versions 1.21.1, 1.22.2; SAMtools versions 1.21.1, 1.22.2; and BCFtools versions 1.21.1, 1.22.1. https://github.com/samtools/htslib/releases/tag/1.23.1 https://github.com/samtools/samtools/releases/tag/1.23.1 https://github.com/samtools/bcftools/releases/tag/1.23.1 https://sourceforge.net/projects/samtools/ ------------------------------------------------------------------------- htslib - changes v1.23.1 ------------------------------------------------------------------------- Bug fixes --------- * Fix a number of bugs in the CRAM decoder which could result in undefined behaviour on invalid inputs (PR #1981, PR #1991): - Not checking the amount of byte array len data returned matched the amount expected. (CVE-2026-31971) - Incorrect check for the length of byte array stop data. (CVE-2026-31969) - Invalid use of the varint and const codecs. (CVE-2026-31968) - Missing check for a valid reference ID. (CVE-2026-31965) - Missing check for a valid mate reference ID. (CVE-2026-31967) - Incomplete validation of CRAM feature locations. (CVE-2026-31965, CVE-2026-31966) - Bugs due to improper handling of records where no sequence or quality values were stored (CVE-2026-31962, CVE-2026-31964) * Reject GZI indexes with impossibly-large item counts. (CVE-2026-31970) (PR #1978. Reported by Harrison Green) * Prevent the wrong item count from being written to GZI indexes of empty files. (PR #1988. Reported by Matthieu Muffato) * Fix invalid behaviour if kmemmem(), kstrstr() or kstrnstr() were called with a zero-length pattern, or if kstrstr() was given a very long input. Also ensure they can never fail by supplying a fallback algorithm that does not allocate any memory. (PR #1980. Reported by Harrison Green) * Prevent redundant copies of hash keys in string pools. (PR #1982) * Fix regressions in the S3 plugin which caused uploads to fail. (PR #1984) * Disallow attempts to set the thread pool attached to an htsFile twice. (PR #1985) Build Changes ------------- * The htscodecs submodule is updated to v1.6.6. (PR #1989) ------------------------------------------------------------------------- samtools - changes v1.23.1 ------------------------------------------------------------------------- Bug fixes: * This release bundles HTSlib 1.23.1, which includes many important bug fixes. Please see htslib/NEWS for details. * Fix incorrect variable expansion in seq_cache_populate.py (PR #2291. Thanks to Ruben Vorderman) * Don't try to write out empty strings in threaded consensus pileup mode. (PR #2305) * Wrap ctype.h functions to avoid array subscript warnings, and add casts to prevent sign extension where arrays are indexed with char values. (PR #2306) * Make `samtools cram-size` exit cleanly instead of crashing if it reads an invalid CRAM header. (PR #2313) Build changes: * Reordered options for grep commands in tests so the input file is at the end. (PR #2311) * Limit memory used by samtools sort in tests. (PR #2312) ------------------------------------------------------------------------- bcftools - changes v1.23.1 ------------------------------------------------------------------------- Changes affecting the whole of bcftools, or multiple commands: * This release bundles HTSlib 1.23.1, which includes many important bug fixes. Please see htslib/NEWS for details. * Fix silent output truncation due to missing checks for read errors in the annotate, cnv, concat, convert, consensus, csq, filter, gtcheck, isec, merge, norm, query and stats commands; and all plugins. They will now print an error and return a non-zero exit code if an error is encountered when reading input data. (PR #2503) ---------------------------------------------------------------------- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is Wellcome Sanger Institute, Wellcome Genome Campus, Hinxton, CB10 1SA. _______________________________________________ Samtools-help mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/samtools-help
