Bug 2358142 (CVE-2025-3407)

Summary: CVE-2025-3407 stb: Nothings stb out-of-bounds read
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in stb. This vulnerability allows an out-of-bounds read via manipulation of the h_count or v_count arguments.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2358148, 2358149, 2358153, 2358150, 2358151, 2358152    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-08 05:01:57 UTC 
A vulnerability was found in Nothings stb up to f056911. It has been declared as critical. Affected by this vulnerability is the function stbhw_build_tileset_from_image. The manipulation of the argument h_count/v_count leads to out-of-bounds read. The attack can be launched remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
Comment 2 Ben Beasley 2025-04-08 10:42:58 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2025-3407

The disclosure contains very little information and no suggested fix.

The values h_count and v_count are not arguments to stbhw_build_tileset_from_image, but local variables. They are produced by stbhw__get_template_info as output parameters based on the contents of an stbhw_config structure, particularly on the num_color array, which is clearly populated based on header data from the image being processed. So it makes sense to believe that a crafted untrusted image might be able to cause an out-of-bounds read.

However, the details of how these values are obtained and used are complicated, and no suggested fix or mitigation is currently available, so I’m not planning to attempt a downstream fix. I will monitor https://github.com/nothings/stb/issues/1769 and apply a sensible-looking patch if one appears.

In general, upstream has not appeared very interested in security-related reports. Even when straightforward fixes have been available, PR’s have been merged slowly and irregularly. I would therefore expect that there will not be quick upstream action, and any candidate fix would come from the community.