CVE-2023-45662: 
Linux Debian vulnerability analysis and mitigation

stb_image is a single file MIT licensed library for processing images. The vulnerability (CVE-2023-45662) was discovered in version 2.28, affecting the image vertical flipping functionality. When stbi_set_flip_vertically_on_load is set to TRUE and req_comp is set to a number that doesn't match the real number of components per pixel, the library attempts to flip the image vertically, which can lead to security issues (GitHub Advisory).

The vulnerability occurs in the stbi__vertical_flip function where a crafted image file can trigger memcpy out-of-bounds read because bytes_per_pixel used to calculate bytes_per_row doesn't match the real image array dimensions. The issue has been assigned a CVSS v3.1 Base Score of 8.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) by NVD, while GitHub assessed it as 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) (NVD).

This vulnerability may be used to leak internal memory allocation information through out-of-bounds read operations. The issue affects the image processing capabilities of applications using the stb_image library, potentially exposing sensitive information from memory (GitHub Advisory).

The vulnerability has been fixed in newer versions of the library. Fedora has released security updates for versions 37, 38, and 39 that address this vulnerability along with several other security issues. Users are advised to update to the patched version 0^20231011gitbeebb24-12 (Fedora Update).