Bug 2358138 (CVE-2025-3409) - CVE-2025-3409 stb: Nothings stb stack-based overflow
Summary: CVE-2025-3409 stb: Nothings stb stack-based overflow
Keywords:
Status: NEW
Alias: CVE-2025-3409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2358165 2358166 2358167 2358168 2358169 2358170
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-08 05:01 UTC by OSIDB Bzimport
Modified: 2025-04-08 17:53 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-08 05:01:47 UTC 
A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Comment 2 Ben Beasley 2025-04-08 11:00:36 UTC 
The vulnerability report contains little detail. However, the function stb_include_string appears in the stb_include.h library. Significant concerns were noted with the design of this library during package review, so we have never shipped a copy of it:

- It uses strcat/strcpy into a fixed-length buffer that is assumed (but not proven) to be large enough for all possible uses
- It ignores I/O errors (possibly leading to undefined behavior from reading uninitialized memory), and so on.

Since we don’t ship stb_include, we can’t be affected.
Note You need to log in before you can comment on or make changes to this bug.