Vulnerability in `tinydir_file_open()`: buffer overflow

project-gemmi / gemmi

macromolecular crystallography library and utilities

https://project-gemmi.github.io/

Mozilla Public License 2.0

205 stars 42 forks source link

Vulnerability in `tinydir_file_open()`: buffer overflow #292

Closed merkys closed 6 months ago

merkys commented 6 months ago

Gemmi is affected by CVE-2023-49287 due to a buffer overflow in embedded TinyDir library. This has been reported in Debian. Solution is to update TinyDir at least to v1.2.6.

wojdyr commented 6 months ago

Gemmi already uses TinyDir 1.2.6, I updated it 3 weeks ago in e142eff1, before releasing v0.6.4.

BTW in the last release (0.6.4), if you want to install everything (program,library,python bindings), it might be better to use pip install . with extra options to enable building the program and installing dev files. Otherwise python dist-info files don't get generated.

merkys commented 6 months ago

Thanks for confirming that this is already fixed. I will also look into installing Gemmi with pip install.