There are 5 open security issues in bookworm.
4 issues left for the package maintainer to handle:
- CVE-2025-9300:
(needs triaging)
A vulnerability was found in saitoha libsixel up to 1.10.3. Affected by this issue is the function sixel_debug_print_palette of the file src/encoder.c of the component img2sixel. The manipulation results in stack-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is identified as 316c086e79d66b62c0c4bc66229ee894e4fdb7d1. Applying a patch is advised to resolve this issue.
- CVE-2021-46700:
(needs triaging)
In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free.
- CVE-2022-29977:
(postponed; to be fixed through a stable update)
There is an assertion failure error in stbi__jpeg_huff_decode, stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
- CVE-2022-29978:
(postponed; to be fixed through a stable update)
There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.
You can find information about how to handle these issues in the security team's documentation.
1 ignored issue:
- CVE-2021-45340:
In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/libs/libsixel.png){kind=link}