numerous vulnerabilities reported by cisco TALOS

[ajakk]

Hi, a number of CVEs have been issued against openbabel by Cisco's security research unit:

• CVE-2022-37331
• CVE-2022-41793
• CVE-2022-42885
• CVE-2022-43467
• CVE-2022-43607
• CVE-2022-44451
• CVE-2022-46280
• CVE-2022-46289
• CVE-2022-46290
• CVE-2022-46291
• CVE-2022-46292
• CVE-2022-46293
• CVE-2022-46294
• CVE-2022-46295
  With these advisories:
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665

Did Cisco ever contact this repository's owners about these vulnerabilities? Are they valid? Are any fixed?

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[ghutchis]

Cisco contacted me with a short window to fix these. Considering openbabel is used primarily in informatics, I'm not sure what some of these vulnerabilities get you.

You craft a specific Gaussian output file that allows you to hijack the obabel process. And do what, exactly? Execute something as the current user?

I don't want to downplay these - they're definitely bugs and should be fixed before the next release. But obabel is also a cheminformatics library, not generally facing an open network.

[baoilleach]

I guess a potential attack vector would be If someone were running a publicly exposed webapp that did conversions, and an attacker combined it with a privilege escalation vulnerability, they would have control of the server.

[mbanck]

This has been brought up by the Debian security team as well: https://bugs.debian.org/1059277