libsixel Security Overview (2018–2025) and Emergency Fix Plan

[saitoha]

📝 Preface

Over the past five years, while I (saitoha) have been absent, many contributors across the community have kept libsixel alive and evolving. In particular, the libsixel/libsixel fork has seen active maintenance, fixes, and improvements. I want to express my deep gratitude to everyone who has carried the project forward during this time.

This repository is now in the process of catching up and integrating those fixes and improvements. As part of that effort, we are also reviewing and addressing all reported CVEs listed below.

👉 Until every CVE in this list is resolved, the project is operating in a “hotfix / emergency mode”:

• each fix will be pushed incrementally to the master branch head,
• once all CVEs are closed out, a new release will be tagged as v1.8.7.

The tables below provide a complete overview of all security issues reported against libsixel (both runtime CVEs and development dependency alerts), their current status, and downstream impact.

---

🛡️ libsixel Security Overview (CVE + Dependabot)

All CVEs reported for libsixel (2018–2025, including stb_image leftovers)

CVE	Short Description	Fix Status (S = saitoha/libsixel / L = libsixel/libsixel fork)	S: Issues / PRs	L: Issues / PRs	Debian / Downstream Status	Notes
CVE-2025-9300 (NVD)	img2sixel: sixel_debug_print_palette stack/heap boundary error	S: ✅ fixed (316c086)	Issues: #200	–	Vulnerable (no DSA)	New in 2025; S fixed on master via #200 / 316c086; L archived.
CVE-2023-45661 (NVD)	stb_image: OOB memcpy read in stbi__gif_load_next (GIF)	S: ✅ Not Affected (stb ≥2.30 (vendored))	–	–	Vulnerable (libstb)	libsixel provides its own gif_load_next() and we have verified it is unaffected; historically, when stb_image.h lacked animated gif support, we moved the gif loader to src/fromgif.c and have maintained it independently.
CVE-2023-43898 (NVD)	stb_image: NULL deref in stbi__convert_format (PICT)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-29978 (NVD)	FPE in sixel_encoder_do_resize	S: ✅ fixed (07ab235) / L: 🟡 in progress	Issues: #166, #167	Issues: #60, #61, #63	Vulnerable (postponed/No-DSA)	Debian postponed.
CVE-2022-29977 (NVD)	Assertion failure in stb JPEG huffman decode (stb_image)	S: ✅ fixed (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #165, #159	Issues: #62 / PRs: #83	Vulnerable (postponed/No-DSA)	Debian postponed; L has #63.
CVE-2022-28042 (NVD)	stb_image: heap use-after-free in stbi__jpeg_huff_decode (v2.27)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-28041 (NVD)	stb_image: integer overflow in stbi__jpeg_decode_block_prog_dc (v2.27)	S: ✅ fixed (stb 2.28.)	–	–	Vulnerable (libstb)
CVE-2022-27046 (NVD)	Use-after-free in dither.c:388	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in L via #28; Debian fixed in bookworm+.
CVE-2022-27044 (NVD)	Buffer overflow in quant.c	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #172	Issues: #25 / PRs: #26	Fixed (bookworm+)	Debian marks fixed; L fixed in 1.10.x.
CVE-2021-46700 (NVD)	Double-free in sixel_encoder_output_without_macro	S: 🟡 can not reproduced in our side	Issues: #158	–	Vulnerable (no DSA)	—
CVE-2021-45340 (NVD)	stb_image: NULL deref (PICT)	S: ✅ fixed (stb 2.26) (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #160	Issues: #73, #51 / PRs: #52	Vulnerable (ignored)	Handled historically via stb bump to 2.26 in L.
CVE-2021-41715 (NVD)	Use-after-free in dither.c:379	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in libsixel/libsixel (archived 2025-02-12); backport to S as needed
CVE-2021-40656 (NVD)	Buffer overflow in quant.c:867 (<1.10)	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #156, #172	Issues: #25	Fixed (bookworm+)	—
CVE-2020-36120 (NVD)	Buffer overflow in sixel_encoder_encode_bytes	S: ✅ won't fix (user error).	Issues: #143	–	— (NVD only)	Tracked in NVD; Debian page may not list under libsixel.
CVE-2020-21677 (NVD)	Heap BOF in sixel_encoder_output_without_macro	S: ✅ fixed (0b1e0b3 / v1.8.5)	Issues: #123	–	Fixed	—
CVE-2020-21548 (NVD)	Heap BOF in sixel_encode_highcolor	S: ✅ fixed (9d0a7ff / v1.8.4)	Issues: #116	–	Fixed	—
CVE-2020-21547 (NVD)	Heap BOF in dither_func_fs	S: ✅ fixed (9d0a7ff / v1.8.4)	Issues: #114	–	Fixed	—
CVE-2020-21050 (NVD)	Stack BOF in GIF raster code	S: ✅ fixed (7808a06 / v1.8.3)	Issues: #75	–	Fixed	—
CVE-2020-21049 (NVD)	Invalid read in PSD handler (stb_image)	S: ✅ fixed (0b1e0b3 / v1.8.5)	Issues: #74	–	Fixed	—
CVE-2020-21048 (NVD)	DoS in dither.c	S: ✅ fixed (cb373ab / v1.8.4)	Issues: #73	–	Fixed	—
CVE-2020-19668 (NVD)	OOB access in fromgif.c: gif_out_code	S: ✅ fixed (f39d6da)	Issues: #136	–	Fixed	—
CVE-2020-11721 (NVD)	Free of uninitialized pointer in load_png	S: ✅ fixed (76b491d)	Issues: #134	–	Fixed	—
CVE-2019-20205 (NVD)	Integer overflow in sixel_frame_resize	S: ✅ fixed (5543354 / v1.8.5)	Issues: #127	–	Fixed	—
CVE-2019-20140 (NVD)	Heap BOF in gif_out_code	S: ✅ fixed (598c8c8 / v1.8.5)	Issues: #122	–	Fixed	—
CVE-2019-20094 (NVD)	Heap BOF in gif_init_frame	S: ✅ fixed (a18b378 / v1.8.5)	Issues: #125	–	Fixed	—
CVE-2019-20056 (NVD)	Assertion in vendored stb_image	S: ✅ fixed (814f831 / v1.8.5)	Issues: #126	–	Fixed	—
CVE-2019-20024 (NVD)	Heap BOF in image_buffer_resize	S: ✅ fixed (6367d2f / v1.8.4)	Issues: #121	–	Fixed (1.8.6-1)	—
CVE-2019-20023 (NVD)	Memory leak in image_buffer_resize	S: ✅ fixed (b9a4175 / v1.8.5)	Issues: #120	–	Fixed (1.8.6-1)	—
CVE-2019-20022 (NVD)	Invalid memory access in load_pnm	S: ✅ fixed (e17c076 / v1.8.3)	Issues: #108	–	Fixed	—
CVE-2019-19778 (NVD)	Heap over-read in load_sixel	S: ✅ fixed (614e761 / v1.8.3)	Issues: #110	–	Fixed	—
CVE-2019-19777 (NVD)	Heap over-read in vendored stb_image	S: ✅ fixed (d6e34fc / v1.8.3)	Issues: #109	–	Fixed	—
CVE-2019-19638 (NVD)	Integer overflow → heap BOF in load_pnm	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #102 / PRs: #106	–	Fixed	—
CVE-2019-19637 (NVD)	Integer overflow in sixel_decode_raw_impl	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #105 / PRs: #106	–	Fixed	—
CVE-2019-19636 (NVD)	Integer overflow in sixel_encode_body	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #104 / PRs: #106	–	Fixed	—
CVE-2019-19635 (NVD)	Heap BOF in sixel_decode_raw_impl	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #103 / PRs: #106	–	Fixed	—
CVE-2019-11024 (NVD)	Infinite recursion in load_pnm	S: ✅ fixed (b418f35 / v1.8.4)	Issues: #85	–	Fixed	—
CVE-2019-3574 (NVD)	Heap over-read in load_jpeg	S: ✅ fixed (614e761 / v1.8.3)	Issues: #83 / PRs: #95	–	Fixed	—
CVE-2019-3573 (NVD)	Infinite loop in sixel_decode_raw_impl	S: ✅ fixed (614e761 / v1.8.3)	Issues: #83 / PRs: #95	–	Fixed	—
CVE-2018-19763 (NVD)	Heap over-read in write_png_to_file (writer.c)	S: ✅ fixed (614e761 / v1.8.3)	Issues: #82 / PRs: #95	–	Fixed	—
CVE-2018-19762 (NVD)	Heap BOF in image_buffer_resize (fromsixel.c)	S: ✅ fixed (1af6800 / v1.8.3)	Issues: #81 / PRs: #92	–	Fixed	—
CVE-2018-19761 (NVD)	Invalid address access in sixel_decode_raw_impl	S: ✅ fixed (1377517 / v1.8.3)	Issues: #78, #105 / PRs: #106	–	Fixed	—
CVE-2018-19759 (NVD)	Heap over-read in stb_image_write	S: ✅ fixed (5f64fb1 / v1.8.3)	Issues: #77 / PRs: #98	–	Fixed	—
CVE-2018-19757 (NVD)	NULL deref in status.c	S: ✅ fixed (e903c93, a53c872 / v1.8.3)	Issues: #79 / PRs: #91, #94	–	Fixed	—
CVE-2018-19756 (NVD)	Heap over-read in vendored stb_image	S: ✅ fixed (v1.8.3)	Issues: #80 / PRs: #93	–	Fixed	—
CVE-2018-14073 (NVD)	Memory leak in allocator_new	S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2)	Issues: #67	–	Fixed	—
CVE-2018-14072 (NVD)	Multiple memory leaks in decoder_decode etc.	S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2)	Issues: #67	–	Fixed	—

---

Build/Dev Dependencies (Dependabot alerts)

Package	Vulnerability / Advisory	Fix Status	Notes
rake (Ruby)	Multiple CVEs reported across versions <13.0.6 (e.g. command injection vectors)	S: ❌ (alerts open) / Forks: ❌ (PR bhohbaum/libsixel#1 updates rake)	Affects only Ruby build tasks (gem extconf / test), not the C runtime library.
minitest (Ruby)	Dependabot sometimes flags outdated versions with DoS risk	S: ❌ (not updated recently)	Purely test dependency; no impact on production libsixel usage.
other gems (rdoc, rubocop, etc.)	Occasionally flagged as “moderate”	Status varies	All are dev/test-only.

---

Notes

• ✅ = fixed, ❌ = still open, 🟡 = uninvestigated / in progress.
• Debian switched from saitoha/libsixel to the fork (libsixel/libsixel) starting at 1.10.3-1.
• The fork itself is archived (2025-02-12), so new CVEs are no longer addressed there.
• The Dependabot alerts relate only to dev/test tooling (Ruby rake, minitest, etc.) and do not affect the runtime library, but they matter for GitHub’s security signals and downstream packaging.