jkbonfield
commented
5 months ago Your first issue refers to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097, discovered in htslib 1.10 and was fixed in #1104 within a few days of being reported (in 2020).
The second issue refers to https://github.com/samtools/htslib/issues/731#issuecomment-403681105 from 2018, which was also promptly fixed.
This SNYK issue is therefore bad misinformation :(. If you can demonstrate the current release has problems then please provide us with test cases and we will be happy to fix them. Until then, I am closing this as an incorrect security report.
PS. I have attempted to contact SNYK to get them to remove these false security claims.
Issue Details:
We've encountered critical security issues during our latest Snyk security scan that are preventing our CI/CD pipeline from publishing a new version. Below are the details of the vulnerabilities found:
1. [High Severity] Out-of-bounds Write Vulnerability Info: An out-of-bounds write issue has been detected. Introduced Through: samtools/htslib@1.20 Snyk Vulnerability URL: SNYK-UNMANAGED-SAMTOOLSHTSLIB-2369382
2. [Critical Severity] Out-of-Bounds Vulnerability Info: A critical out-of-bounds issue has been identified. Introduced Through: samtools/htslib@1.20 Snyk Vulnerability URL: SNYK-UNMANAGED-SAMTOOLSHTSLIB-2369380
Impact:
These vulnerabilities need immediate attention as they pose significant security risks and are blocking the automated publishing of a new version.
Action Requested:
We request the maintainers to look into these vulnerabilities and provide patches or updates to mitigate the risks. Additionally, community input on temporary or long-term solutions would be highly appreciated.