CVE-2023-45675: 
Linux Debian vulnerability analysis and mitigation

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A vulnerability identified as CVE-2023-45675 was discovered that could lead to an out-of-bounds write vulnerability. The issue was discovered in version 1.22 and was publicly disclosed in October 2023 (NVD, GitHub Advisory).

The vulnerability occurs in the start_decoder function where if the len value read is -1, and len + 1 becomes 0 when passed to setup_malloc, an out-of-bounds write can occur at f->vendor[len] = (char)'\0'. The setup_malloc function behaves differently when f->alloc.alloc_buffer is pre-allocated - instead of returning NULL as in malloc case, it shifts the pre-allocated buffer by zero and returns the currently available memory block. The vulnerability has received a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

This vulnerability may lead to code execution if successfully exploited. The out-of-bounds write condition could allow an attacker to manipulate memory outside the intended buffer space, potentially leading to arbitrary code execution (GitHub Advisory).

The vulnerability has been patched in newer versions of the software. Fedora has released security updates for versions 37, 38, and 39 that include fixes for this vulnerability. Users are advised to update to the patched versions (Fedora Update).