v1.8.7 security update

[saitoha]

First, my apologies for letting the project stagnate for so long, and my thanks to everyone on the libsixel/libsixel project who continued to deliver security fixes and improvements during my absence.

This repository (saitoha/libsixel) does not yet incorporate everything from libsixel/libsixel. In particular, I am still evaluating whether to adopt Meson for the build system. Reasons include: I currently have no Meson expertise; importing it as-is would eliminate a large number of #ifdefs and likely reduce portability; and I am considering a future port to OpenVMS. I know many people dislike GNU Autotools, so I will keep revisiting the build system choice. The slow ./configure on Windows is a major pain point, but predefining CONFIG_SITE should mitigate it substantially.

On security fixes, my understanding is that the majority are already addressed. A summary of overall progress appears further below in this post. We deferred CVE-2021-46700 (#158), which we have not been able to reproduce, as well as certain Dependabot alerts that appear to have limited impact, for a later release.

📢 What's New in libsixel-1.8.7

• fix invalid pointer access in encoder.c (Invalid Pointer Access in encoder.c #193, Fix segfault caused by uninitialized dither #195)
  Thanks to @momo-trip, @akinomyoga

• fix wrong HLS to RGB conversion. (HLS to RGB conversion is incorrect. #191)
  Thanks to @gnachman, @j4james

• fix NULL pointer dereference problem in img2sixel.c (NULL Pointer Dereference in img2sixel.c #192)
  Thanks to @momo-trip, @akinomyoga

• fix double free problem in encoder.c (Double Free in encoder.c #194)
  Thanks to @momo-trip

• Serucity fix for LibSixel img2sixel Heap Buffer Overflow in Debug Palette Function #200, heap buffer overflow in debug palette function.
  Thanks to @err2zero

• add EXTRA_DIST for LICENSE files (add EXTRA_DIST for LICENSE files #129)
  Thanks to @ttdoda

• Travis-ci: added support for ppc64le (Travis-ci: added support for ppc64le #140)
  Thanks to @dthadi3

• export sixel_allocator_new to dll (export sixel_allocator_new to dll #151)
  Thanks to @johnnychen94

• README: Add Idris 2 language bindings (Add Idris 2 language bindings #155)
  Thanks to @Kaiepi

• performance: If width and height are unchanged, nothing to do. (sixel_frame_resize(): If width and height are unchanged, nothing to do. #170)
  Thanks to @rokuyama

• README: add MacPorts to install options (README.md: add MacPorts to install options #183)
  Thanks to @barracuda156

• fix for bash completion (Replace have with command in bash completion #189)
  Thanks to @rcorre

• Add backport feature (nanosleep) for windows, github actions CI (backport Feature/update ci for windows  #202)
  Thanks to @Kreijstal

• README: update NixOS link (Update NixOS link for libsixel in README #204)
  Thanks to @max-amb

• build: Remove override of $LIBJPEG_CFLAGS and $LIBJPEG_LIBS set by PKG_CHECK_MODULES()

• fix Problems with the dithering palette calculation (Problems with the dithering palette calculation #188)
  Thanks to @gnachman, @j4james

• fix SEGV error in sixel_encoder_setopt (SEGV error in sixel_encoder_setopt #174)
  Thanks to @shinibufa , @j4james

• curl: send original UserAgent header: "libsixel/${LIBSIXEL_VERSION}"

• fix heap-buffer-overflow in error_diffuse, quant.c:876 heap-buffer-overflow in error_diffuse, quant.c:876, different from #156 #172
  Thanks to @waugustus

• fix Heap-buffer-overflow in scale.c:214 Heap-buffer-overflow in scale.c:214 #179
  Thanks to @chameleon10712, @j4james

• build: fallback support for environments without pkg-config.

• fix double-free problem in loader.c (Attempting free on address which was not malloc() #150)
  Thanks to @duytai, @ctrlcctrlv

• fix an assertion issue in stbi__create_png_image_raw ([BUG] a reachable assert in stbi__create_png_image_raw #163)
  Thanks to @kdsjZh, @dankamongmen

• Update stb_image.h from upstream to version 2.30
  THanks to @hzeller

• Update examples/drawing: add SGR-Pixels mode

• fix a problem on monochromatic encoded (-e) output (img2sixel: First column missing for monochromatic encoded (-e) output #112)
  Thanks to @interkosmos, @j4james

• fix a FPE issue (FPE in sixel_encoder_do_resize, encoder.c:633 #166, FPE in sixel_encoder_do_resize, encoder.c:636 #167)
  Thanks to @waugustus, @j4james

• cli: fix a scaling issue introduced in v1.6.1, which is caused
  when one of -w/-h is a percentage and the other is unset or "auto"

• fix a memory leak ploblem (Memory leak in sixel_encoder_encode_bytes #164)
  Thanks to @muetzenmann, @j4james

🛡️ libsixel Security Overview (CVE + Dependabot)

All CVEs reported for libsixel (2018–2025, including stb_image leftovers)

CVE	Short Description	Fix Status (S = saitoha/libsixel / L = libsixel/libsixel fork)	S: Issues / PRs	L: Issues / PRs	Debian / Downstream Status	Notes
CVE-2025-9300 (NVD)	img2sixel: sixel_debug_print_palette stack/heap boundary error	S: ✅ fixed (316c086)	Issues: #200	–	Vulnerable (no DSA)	New in 2025; S fixed on master via #200 / 316c086; L archived.
CVE-2023-45661 (NVD)	stb_image: OOB memcpy read in stbi__gif_load_next (GIF)	S: ✅ Not Affected (stb ≥2.30 (vendored))	–	–	Vulnerable (libstb)	libsixel provides its own gif_load_next() and we have verified it is unaffected; historically, when stb_image.h lacked animated gif support, we moved the gif loader to src/fromgif.c and have maintained it independently.
CVE-2023-43898 (NVD)	stb_image: NULL deref in stbi__convert_format (PICT)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-29978 (NVD)	FPE in sixel_encoder_do_resize	S: ✅ fixed (07ab235) / L: 🟡 in progress	Issues: #166, #167	Issues: #60, #61, #63	Vulnerable (postponed/No-DSA)	Debian postponed.
CVE-2022-29977 (NVD)	Assertion failure in stb JPEG huffman decode (stb_image)	S: ✅ fixed (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #165, #159	Issues: #62 / PRs: #83	Vulnerable (postponed/No-DSA)	Debian postponed; L has #63.
CVE-2022-28042 (NVD)	stb_image: heap use-after-free in stbi__jpeg_huff_decode (v2.27)	S: ✅ fixed (stb 2.28)	–	–	Vulnerable (libstb)
CVE-2022-28041 (NVD)	stb_image: integer overflow in stbi__jpeg_decode_block_prog_dc (v2.27)	S: ✅ fixed (stb 2.28.)	–	–	Vulnerable (libstb)
CVE-2022-27046 (NVD)	Use-after-free in dither.c:388	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in L via #28; Debian fixed in bookworm+.
CVE-2022-27044 (NVD)	Buffer overflow in quant.c	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #172	Issues: #25 / PRs: #26	Fixed (bookworm+)	Debian marks fixed; L fixed in 1.10.x.
CVE-2021-46700 (NVD)	Double-free in sixel_encoder_output_without_macro	S: 🟡 can not reproduced in our side	Issues: #158	–	Vulnerable (no DSA)	—
CVE-2021-45340 (NVD)	stb_image: NULL deref (PICT)	S: ✅ fixed (stb 2.26) (1c58a6e) / L: ✅ fixed (138b4ee)	Issues: #160	Issues: #73, #51 / PRs: #52	Vulnerable (ignored)	Handled historically via stb bump to 2.26 in L.
CVE-2021-41715 (NVD)	Use-after-free in dither.c:379	S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67)	Issues: #157	Issues: #27 / PRs: #28	Fixed (bookworm+)	Fixed in libsixel/libsixel (archived 2025-02-12); backport to S as needed
CVE-2021-40656 (NVD)	Buffer overflow in quant.c:867 (<1.10)	S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc)	Issues: #156, #172	Issues: #25	Fixed (bookworm+)	—
CVE-2020-36120 (NVD)	Buffer overflow in sixel_encoder_encode_bytes	S: ✅ won't fix (user error).	Issues: #143	–	— (NVD only)	Tracked in NVD; Debian page may not list under libsixel.
CVE-2020-21677 (NVD)	Heap BOF in sixel_encoder_output_without_macro	S: ✅ fixed (0b1e0b3 / v1.8.5)	Issues: #123	–	Fixed	—
CVE-2020-21548 (NVD)	Heap BOF in sixel_encode_highcolor	S: ✅ fixed (9d0a7ff / v1.8.4)	Issues: #116	–	Fixed	—
CVE-2020-21547 (NVD)	Heap BOF in dither_func_fs	S: ✅ fixed (9d0a7ff / v1.8.4)	Issues: #114	–	Fixed	—
CVE-2020-21050 (NVD)	Stack BOF in GIF raster code	S: ✅ fixed (7808a06 / v1.8.3)	Issues: #75	–	Fixed	—
CVE-2020-21049 (NVD)	Invalid read in PSD handler (stb_image)	S: ✅ fixed (0b1e0b3 / v1.8.5)	Issues: #74	–	Fixed	—
CVE-2020-21048 (NVD)	DoS in dither.c	S: ✅ fixed (cb373ab / v1.8.4)	Issues: #73	–	Fixed	—
CVE-2020-19668 (NVD)	OOB access in fromgif.c: gif_out_code	S: ✅ fixed (f39d6da)	Issues: #136	–	Fixed	—
CVE-2020-11721 (NVD)	Free of uninitialized pointer in load_png	S: ✅ fixed (76b491d)	Issues: #134	–	Fixed	—
CVE-2019-20205 (NVD)	Integer overflow in sixel_frame_resize	S: ✅ fixed (5543354 / v1.8.5)	Issues: #127	–	Fixed	—
CVE-2019-20140 (NVD)	Heap BOF in gif_out_code	S: ✅ fixed (598c8c8 / v1.8.5)	Issues: #122	–	Fixed	—
CVE-2019-20094 (NVD)	Heap BOF in gif_init_frame	S: ✅ fixed (a18b378 / v1.8.5)	Issues: #125	–	Fixed	—
CVE-2019-20056 (NVD)	Assertion in vendored stb_image	S: ✅ fixed (814f831 / v1.8.5)	Issues: #126	–	Fixed	—
CVE-2019-20024 (NVD)	Heap BOF in image_buffer_resize	S: ✅ fixed (6367d2f / v1.8.4)	Issues: #121	–	Fixed (1.8.6-1)	—
CVE-2019-20023 (NVD)	Memory leak in image_buffer_resize	S: ✅ fixed (b9a4175 / v1.8.5)	Issues: #120	–	Fixed (1.8.6-1)	—
CVE-2019-20022 (NVD)	Invalid memory access in load_pnm	S: ✅ fixed (e17c076 / v1.8.3)	Issues: #108	–	Fixed	—
CVE-2019-19778 (NVD)	Heap over-read in load_sixel	S: ✅ fixed (614e761 / v1.8.3)	Issues: #110	–	Fixed	—
CVE-2019-19777 (NVD)	Heap over-read in vendored stb_image	S: ✅ fixed (d6e34fc / v1.8.3)	Issues: #109	–	Fixed	—
CVE-2019-19638 (NVD)	Integer overflow → heap BOF in load_pnm	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #102 / PRs: #106	–	Fixed	—
CVE-2019-19637 (NVD)	Integer overflow in sixel_decode_raw_impl	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #105 / PRs: #106	–	Fixed	—
CVE-2019-19636 (NVD)	Integer overflow in sixel_encode_body	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #104 / PRs: #106	–	Fixed	—
CVE-2019-19635 (NVD)	Heap BOF in sixel_decode_raw_impl	S: ✅ fixed (93812d6 / v1.8.3)	Issues: #103 / PRs: #106	–	Fixed	—
CVE-2019-11024 (NVD)	Infinite recursion in load_pnm	S: ✅ fixed (b418f35 / v1.8.4)	Issues: #85	–	Fixed	—
CVE-2019-3574 (NVD)	Heap over-read in load_jpeg	S: ✅ fixed (614e761 / v1.8.3)	Issues: #83 / PRs: #95	–	Fixed	—
CVE-2019-3573 (NVD)	Infinite loop in sixel_decode_raw_impl	S: ✅ fixed (614e761 / v1.8.3)	Issues: #83 / PRs: #95	–	Fixed	—
CVE-2018-19763 (NVD)	Heap over-read in write_png_to_file (writer.c)	S: ✅ fixed (614e761 / v1.8.3)	Issues: #82 / PRs: #95	–	Fixed	—
CVE-2018-19762 (NVD)	Heap BOF in image_buffer_resize (fromsixel.c)	S: ✅ fixed (1af6800 / v1.8.3)	Issues: #81 / PRs: #92	–	Fixed	—
CVE-2018-19761 (NVD)	Invalid address access in sixel_decode_raw_impl	S: ✅ fixed (1377517 / v1.8.3)	Issues: #78, #105 / PRs: #106	–	Fixed	—
CVE-2018-19759 (NVD)	Heap over-read in stb_image_write	S: ✅ fixed (5f64fb1 / v1.8.3)	Issues: #77 / PRs: #98	–	Fixed	—
CVE-2018-19757 (NVD)	NULL deref in status.c	S: ✅ fixed (e903c93, a53c872 / v1.8.3)	Issues: #79 / PRs: #91, #94	–	Fixed	—
CVE-2018-19756 (NVD)	Heap over-read in vendored stb_image	S: ✅ fixed (v1.8.3)	Issues: #80 / PRs: #93	–	Fixed	—
CVE-2018-14073 (NVD)	Memory leak in allocator_new	S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2)	Issues: #67	–	Fixed	—
CVE-2018-14072 (NVD)	Multiple memory leaks in decoder_decode etc.	S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2)	Issues: #67	–	Fixed	—

---

Build/Dev Dependencies (Dependabot alerts)

Package	Vulnerability / Advisory	Fix Status	Notes
rake (Ruby)	Multiple CVEs reported across versions <13.0.6 (e.g. command injection vectors)	S: ❌ (alerts open) / Forks: ❌ (PR bhohbaum/libsixel#1 updates rake)	Affects only Ruby build tasks (gem extconf / test), not the C runtime library.
minitest (Ruby)	Dependabot sometimes flags outdated versions with DoS risk	S: ❌ (not updated recently)	Purely test dependency; no impact on production libsixel usage.
other gems (rdoc, rubocop, etc.)	Occasionally flagged as “moderate”	Status varies	All are dev/test-only.

---

Notes

• ✅ = fixed, ❌ = still open, 🟡 = uninvestigated / in progress.
• Debian switched from saitoha/libsixel to the fork (libsixel/libsixel) starting at 1.10.3-1.
• The fork itself is archived (2025-02-12), so new CVEs are no longer addressed there.
• The Dependabot alerts relate only to dev/test tooling (Ruby rake, minitest, etc.) and do not affect the runtime library, but they matter for GitHub’s security signals and downstream packaging.

---

This discussion was created from the release v1.8.7 security update.

[hzeller]

The archived version that was maintaining the code in the interim https://github.com/libsixel/libsixel
... had bumped the version up to 1.10.5 (and package maintainers picked up that version https://repology.org/project/libsixel/versions )

So at some point when you think everything from there is integrated, choosing a version number that is higher (1.11.x ?) would probably help package maintainers not have to manage versions going backwards, once your original libsixel is considered the maintained one again.

[Kreijstal]

those are lots of distros that packaged the archived version