Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <2E3BDDD2-01C1-4207-8662-FDA0E2674B1A@gmail.com>
Date: Thu, 28 May 2026 13:05:05 -0400
From: Geoffrey Hutchison <geoff.hutchison@...il.com>
To: oss-security@...ts.openwall.com
Subject: Open Babel 3.2.0: 24 CVEs fixed across file-format parsers


Open Babel 3.2.0 was tagged on 2026-05-26 and ships fixes for 24
publicly-assigned CVEs in the chemistry file-format parsers, plus a
larger pool of OSS-Fuzz-discovered memory-safety bugs that were not
individually assigned CVE IDs. All issues are reachable through the
public OBConversion::ReadFile / WriteFile API, the `obabel` CLI, or
the language bindings, so downstream distributions parsing untrusted
chemistry files should plan to update or backport.

Project:   Open Babel (https://openbabel.org/)
Affected:  all releases <= 3.1.1
Fixed in:  3.2.0 (https://github.com/openbabel/openbabel/releases/tag/openbabel-3-2-0)
Advisory:  https://github.com/openbabel/openbabel/blob/master/SECURITY.md

== CVE-2026 batch (reported by Vedant Madane; PR #2862) ==

  CVE-2026-2704  CIF transform3d::DescribeAsString  out-of-bounds read
  CVE-2026-2705  MOL2 OBAtom::SetFormalCharge       NULL dereference
  CVE-2026-3408  CDXML OBAtom::GetExplicitValence   NULL dereference

== CVE-2025 batch (reported via OSS-Fuzz; PR #2913) ==

  CVE-2025-10994 GAMESSOutputFormat::ReadMolecule       use-after-free
  CVE-2025-10995 zipstream basic_unzip_streambuf        overlapping memcpy
  CVE-2025-10996 OBSmilesParser::ParseSmiles            heap-buffer-overflow
  CVE-2025-10997 ChemKinFormat::CheckSpecies            heap-buffer-overflow
  CVE-2025-10998 ChemKinFormat::ReadReactionQualifier   NULL dereference
  CVE-2025-10999 CacaoFormat::SetHilderbrandt           NULL dereference
  CVE-2025-11000 PQS lowerit                            out-of-bounds read

== CVE-2022 batch (reported by Cisco TALOS; PRs #2883-#2887) ==

  CVE-2022-37331 Gaussian coords_type orientation       OOB write
  CVE-2022-41793 CSR PadString title                    OOB write
  CVE-2022-42885 GRO res                                uninitialized pointer
  CVE-2022-43467 PQS coord_file                         OOB write
  CVE-2022-43607 MOL2 attribute/value                   OOB write
  CVE-2022-44451 MSI atom                               uninitialized pointer
  CVE-2022-46280 PQS pFormat                            uninitialized pointer
  CVE-2022-46289 ORCA nAtoms                            OOB write
  CVE-2022-46290 ORCA nAtoms                            OOB write
  CVE-2022-46291 Gaussian translationVectors[]          OOB write
  CVE-2022-46292 MOPAC translationVectors[] (UNIT CELL) OOB write
  CVE-2022-46293 MOPAC translationVectors[] (FINAL PT)  OOB write
  CVE-2022-46294 MOPAC IN translationVectors[] (Tv)     OOB write
  CVE-2022-46295 MSI translationVectors[]               OOB write

The full per-CVE table with patch commits is in SECURITY.md on the
release branch:

  https://github.com/openbabel/openbabel/blob/openbabel-3-2-0/SECURITY.md

Reproducers for each CVE are checked in under
test/files/fuzz_regress/ and run on every CI build through the
fuzzregresstest harness, with an ASAN+UBSAN job to catch regressions.

== Additional hardening (no individual CVE IDs) ==

3.2.0 also lands a large set of OSS-Fuzz / Trail of Bits / ADA Logics
(Claude Mythos) fixes across MCDL, ChemDraw CDX, ChemKin, abinit, CACAO, 
Gaussian (including z-matrix and cube), Molpro, POV-Ray, Tinker, SMARTS,
MDL V3000, SDF, CIF, and the SMILES canonicalizer. Hardening highlights:

  - FindRings recursion converted to an iterative loop (stack smash)
  - Atom-count bounds, bond-loop bounds, charge bounds (+/-999)
  - SMARTS recursive '((' depth capped at 1000
  - MCDL heavy-atom cap at 200
  - Reject element numbers > 118
  - std::unique_ptr adoption to close leaks / UAFs

A 5-second timeout was also added to canonical-label generation to
prevent hangs on pathological inputs.

== Mitigation ==

Upgrade to Open Babel 3.2.0. Source tarball, signed git tag, and
Python wheels (Linux x86_64/aarch64, macOS, Windows) are available
from the release page above. The fixes apply cleanly against 3.1.1
for distros wishing to backport; per-file PR references are in
SECURITY.md.

== Credits ==

  - Cisco TALOS (2022 batch)
  - Vedant Madane (2026 batch)
  - OSS-Fuzz, Trail of Bits, ADA Logics (Arthur Chan),
    Claude Mythos / Claude Security (ongoing fuzzing reports)
  - David Korczynski (#2874), tyler92 (#2737), catenacyber (#2342)
    for the fuzz-harness infrastructure

Thanks to all the reporters and the fuzzing infrastructure teams.

--
Geoff Hutchison
Open Babel maintainer
oss-security@...ts.openwall.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.