MC-266313STB Crashes With Remote Code Execution Potential
Github recently posted a bunch of vulns in the STB library ( https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ ) and I went through and tested them all.
The only ones that triggered a crash for me where
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/#issue-12-attempt-to-free-an-uninitialized-memory-pointer-in-vorbis_deinit-ghsl-2023-169
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/#issue-13-null-pointer-dereference-in-vorbis_deinit-ghsl-2023-170
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/#issue-14-out-of-bounds-heap-buffer-write-ghsl-2023-171
Some of these have RCE potential, with server resource packs and people generally trusting resource packs this is pretty major if it can be weaponized.
One of the STB image issues resulted in a DOS from an exception being thrown in Java code about an image being 0 pixels wide, but this seems to be outside of the scope of the GH issues. This appears to be an error in MC error handling as the game gets stuck in asset loading forever.
None of these seem to affect skins/server icons, but it would be a good idea to double check these.
I have attached the OGG files for this as a resource pack, they are copied and pasted from the GH page but you may not want to trust it given the severity of this issue.
2023-11-02, 02:37 PM
2024-04-11, 12:55 PM
2024-04-11, 12:55 PM
3
5