HTSlib Heap Buffer Overflow Vulnerability in CRAM Reader

A heap buffer overflow vulnerability has been identified in HTSlib, a library for handling bioinformatics file formats. This issue arises in the CRAM file format, which compresses DNA sequence alignment data. While most records include sequence and quality values, some can omit this information to save space. The vulnerability occurs in the `cram_decode_seq()` function, which improperly manages records lacking sequence data. This mismanagement can lead to reading a byte beyond the end of a heap allocation and writing an attacker-controlled byte to that location. As a result, the vulnerability causes a heap buffer overflow, potentially allowing for arbitrary code execution. The issue is present in HTSlib versions through 1.21, 1.22, and 1.23, and has been patched in versions 1.21.1, 1.22.2, and 1.23.1.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, causing program crashes or unintended modifications of data and heap structures. Such exploitation may be leveraged to execute arbitrary code.

Remediation

Users can upgrade to HTSlib versions 1.21.1, 1.22.2, or 1.23.1 to address this vulnerability.