CVE-2022-46291: 
Linux Debian vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the translationVectors parsing functionality in Open Babel 3.1.1 and master commit 530dbfa3. This vulnerability (CVE-2022-46291) specifically affects the MSI file format. A specially-crafted malformed file can lead to arbitrary code execution when processed by the affected software (Talos Report).

The vulnerability exists in the MSI PeriodicType functionality where the translationVectors parsing can lead to an out-of-bounds write condition. The issue occurs when processing the 'PeriodicType' string in the MSI format, where the numTranslationVectors index can increase arbitrarily without proper bounds checking, eventually leading to writing beyond the allocated buffer space. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST NVD with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Talos assigned it a score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to arbitrary code execution on the affected system when a maliciously crafted file is processed. Given that Open Babel is used in various chemistry and research settings, including online chemical format converters and molecule viewers, the potential impact is significant as it could be accessible via network (Talos Blog).

As of the disclosure date, no official fix has been released by the vendor. The maintainer of Open Babel did not release a patch during the 90-day window specified in Cisco's coordinated vulnerability disclosure policy (Talos Report).

The vulnerability was publicly disclosed by Cisco Talos on July 21, 2023, after the vendor declined to release an update within the 90-day period as outlined in Cisco's vulnerability disclosure policy. The issue remains unpatched in multiple distributions including Debian's bullseye, bookworm, and sid releases (Debian Tracker).