First, my apologies for letting the project stagnate for so long, and my thanks to everyone on the libsixel/libsixel project who continued to deliver security fixes and improvements during my absence.
This repository (saitoha/libsixel) does not yet incorporate everything from libsixel/libsixel. In particular, I am still evaluating whether to adopt Meson for the build system. Reasons include: I currently have no Meson expertise; importing it as-is would eliminate a large number of #ifdefs and likely reduce portability; and I am considering a future port to OpenVMS. I know many people dislike GNU Autotools, so I will keep revisiting the build system choice. The slow ./configure on Windows is a major pain point, but predefining CONFIG_SITE should mitigate it substantially.
On security fixes, my understanding is that the majority are already addressed. A summary of overall progress appears further below in this post. We deferred CVE-2021-46700 (#158), which we have not been able to reproduce, as well as certain Dependabot alerts that appear to have limited impact, for a later release.
📢 What's New in libsixel-1.8.7
-
fix invalid pointer access in
encoder.c(#193, #195)
Thanks to @momo-trip, @akinomyoga -
fix wrong HLS to RGB conversion. (#191)
Thanks to @gnachman, @j4james -
fix NULL pointer dereference problem in
img2sixel.c(#192)
Thanks to @momo-trip, @akinomyoga -
fix double free problem in
encoder.c(#194)
Thanks to @momo-trip -
Serucity fix for #200, heap buffer overflow in debug palette function.
Thanks to @err2zero -
Travis-ci: added support for ppc64le (#140)
Thanks to @dthadi3 -
export
sixel_allocator_newto dll (#151)
Thanks to @johnnychen94 -
README: Add Idris 2 language bindings (#155)
Thanks to @Kaiepi -
performance: If width and height are unchanged, nothing to do. (#170)
Thanks to @rokuyama -
README: add
MacPortsto install options (#183)
Thanks to @barracuda156 -
Add backport feature (nanosleep) for windows,
github actionsCI (#202)
Thanks to @Kreijstal -
build: Remove override of $LIBJPEG_CFLAGS and $LIBJPEG_LIBS set by PKG_CHECK_MODULES()
-
fix Problems with the dithering palette calculation (#188)
Thanks to @gnachman, @j4james -
fix SEGV error in
sixel_encoder_setopt(#174)
Thanks to @shinibufa , @j4james -
curl: send original UserAgent header: "libsixel/${LIBSIXEL_VERSION}"
-
fix heap-buffer-overflow in error_diffuse, quant.c:876 #172
Thanks to @waugustus -
fix Heap-buffer-overflow in scale.c:214 #179
Thanks to @chameleon10712, @j4james -
build: fallback support for environments without
pkg-config. -
fix double-free problem in
loader.c(#150)
Thanks to @duytai, @ctrlcctrlv -
fix an assertion issue in
stbi__create_png_image_raw(#163)
Thanks to @kdsjZh, @dankamongmen -
Update
stb_image.hfrom upstream to version 2.30
THanks to @hzeller -
Update examples/drawing: add
SGR-Pixelsmode -
fix a problem on monochromatic encoded (-e) output (#112)
Thanks to @interkosmos, @j4james -
fix a FPE issue (#166, #167)
Thanks to @waugustus, @j4james -
cli: fix a scaling issue introduced in v1.6.1, which is caused
when one of -w/-h is a percentage and the other is unset or "auto" -
fix a memory leak ploblem (#164)
Thanks to @muetzenmann, @j4james
🛡️ libsixel Security Overview (CVE + Dependabot)
All CVEs reported for libsixel (2018–2025, including stb_image leftovers)
| CVE | Short Description | Fix Status (S = saitoha/libsixel / L = libsixel/libsixel fork) | S: Issues / PRs | L: Issues / PRs | Debian / Downstream Status | Notes |
|---|---|---|---|---|---|---|
| CVE-2025-9300 (NVD) | img2sixel: sixel_debug_print_palette stack/heap boundary error | S: ✅ fixed (316c086) |
Issues: #200 | – | Vulnerable (no DSA) | New in 2025; S fixed on master via #200 / 316c086; L archived. |
| CVE-2023-45661 (NVD) | stb_image: OOB memcpy read in stbi__gif_load_next (GIF) | S: ✅ Not Affected (stb ≥2.30 (vendored)) | – | – | Vulnerable (libstb) | libsixel provides its own gif_load_next() and we have verified it is unaffected; historically, when stb_image.h lacked animated gif support, we moved the gif loader to src/fromgif.c and have maintained it independently. |
| CVE-2023-43898 (NVD) | stb_image: NULL deref in stbi__convert_format (PICT) | S: ✅ fixed (stb 2.28) | – | – | Vulnerable (libstb) | |
| CVE-2022-29978 (NVD) | FPE in sixel_encoder_do_resize | S: ✅ fixed (07ab235) / L: 🟡 in progress |
Issues: #166, #167 | Issues: #60, #61, #63 | Vulnerable (postponed/No-DSA) | Debian postponed. |
| CVE-2022-29977 (NVD) | Assertion failure in stb JPEG huffman decode (stb_image) | S: ✅ fixed (1c58a6e) / L: ✅ fixed (138b4ee) |
Issues: #165, #159 | Issues: #62 / PRs: #83 | Vulnerable (postponed/No-DSA) | Debian postponed; L has #63. |
| CVE-2022-28042 (NVD) | stb_image: heap use-after-free in stbi__jpeg_huff_decode (v2.27) | S: ✅ fixed (stb 2.28) | – | – | Vulnerable (libstb) | |
| CVE-2022-28041 (NVD) | stb_image: integer overflow in stbi__jpeg_decode_block_prog_dc (v2.27) | S: ✅ fixed (stb 2.28.) | – | – | Vulnerable (libstb) | |
| CVE-2022-27046 (NVD) | Use-after-free in dither.c:388 | S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67) |
Issues: #157 | Issues: #27 / PRs: #28 | Fixed (bookworm+) | Fixed in L via #28; Debian fixed in bookworm+. |
| CVE-2022-27044 (NVD) | Buffer overflow in quant.c | S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc) |
Issues: #172 | Issues: #25 / PRs: #26 | Fixed (bookworm+) | Debian marks fixed; L fixed in 1.10.x. |
| CVE-2021-46700 (NVD) | Double-free in sixel_encoder_output_without_macro | S: 🟡 can not reproduced in our side | Issues: #158 | – | Vulnerable (no DSA) | — |
| CVE-2021-45340 (NVD) | stb_image: NULL deref (PICT) | S: ✅ fixed (stb 2.26) (1c58a6e) / L: ✅ fixed (138b4ee) |
Issues: #160 | Issues: #73, #51 / PRs: #52 | Vulnerable (ignored) | Handled historically via stb bump to 2.26 in L. |
| CVE-2021-41715 (NVD) | Use-after-free in dither.c:379 | S: ✅ fixed (98189b8) / L: ✅ fixed (d299d67) |
Issues: #157 | Issues: #27 / PRs: #28 | Fixed (bookworm+) | Fixed in libsixel/libsixel (archived 2025-02-12); backport to S as needed |
| CVE-2021-40656 (NVD) | Buffer overflow in quant.c:867 (<1.10) | S: ✅ fixed (39c2de0) / L: ✅ fixed (dc96cdc) |
Issues: #156, #172 | Issues: #25 | Fixed (bookworm+) | — |
| CVE-2020-36120 (NVD) | Buffer overflow in sixel_encoder_encode_bytes | S: ✅ won't fix (user error). | Issues: #143 | – | — (NVD only) | Tracked in NVD; Debian page may not list under libsixel. |
| CVE-2020-21677 (NVD) | Heap BOF in sixel_encoder_output_without_macro | S: ✅ fixed (0b1e0b3 / v1.8.5) |
Issues: #123 | – | Fixed | — |
| CVE-2020-21548 (NVD) | Heap BOF in sixel_encode_highcolor | S: ✅ fixed (9d0a7ff / v1.8.4) |
Issues: #116 | – | Fixed | — |
| CVE-2020-21547 (NVD) | Heap BOF in dither_func_fs | S: ✅ fixed (9d0a7ff / v1.8.4) |
Issues: #114 | – | Fixed | — |
| CVE-2020-21050 (NVD) | Stack BOF in GIF raster code | S: ✅ fixed (7808a06 / v1.8.3) |
Issues: #75 | – | Fixed | — |
| CVE-2020-21049 (NVD) | Invalid read in PSD handler (stb_image) | S: ✅ fixed (0b1e0b3 / v1.8.5) |
Issues: #74 | – | Fixed | — |
| CVE-2020-21048 (NVD) | DoS in dither.c | S: ✅ fixed (cb373ab / v1.8.4) |
Issues: #73 | – | Fixed | — |
| CVE-2020-19668 (NVD) | OOB access in fromgif.c: gif_out_code | S: ✅ fixed (f39d6da) |
Issues: #136 | – | Fixed | — |
| CVE-2020-11721 (NVD) | Free of uninitialized pointer in load_png | S: ✅ fixed (76b491d) |
Issues: #134 | – | Fixed | — |
| CVE-2019-20205 (NVD) | Integer overflow in sixel_frame_resize | S: ✅ fixed (5543354 / v1.8.5) |
Issues: #127 | – | Fixed | — |
| CVE-2019-20140 (NVD) | Heap BOF in gif_out_code | S: ✅ fixed (598c8c8 / v1.8.5) |
Issues: #122 | – | Fixed | — |
| CVE-2019-20094 (NVD) | Heap BOF in gif_init_frame | S: ✅ fixed (a18b378 / v1.8.5) |
Issues: #125 | – | Fixed | — |
| CVE-2019-20056 (NVD) | Assertion in vendored stb_image | S: ✅ fixed (814f831 / v1.8.5) |
Issues: #126 | – | Fixed | — |
| CVE-2019-20024 (NVD) | Heap BOF in image_buffer_resize | S: ✅ fixed (6367d2f / v1.8.4) |
Issues: #121 | – | Fixed (1.8.6-1) | — |
| CVE-2019-20023 (NVD) | Memory leak in image_buffer_resize | S: ✅ fixed (b9a4175 / v1.8.5) |
Issues: #120 | – | Fixed (1.8.6-1) | — |
| CVE-2019-20022 (NVD) | Invalid memory access in load_pnm | S: ✅ fixed (e17c076 / v1.8.3) |
Issues: #108 | – | Fixed | — |
| CVE-2019-19778 (NVD) | Heap over-read in load_sixel | S: ✅ fixed (614e761 / v1.8.3) |
Issues: #110 | – | Fixed | — |
| CVE-2019-19777 (NVD) | Heap over-read in vendored stb_image | S: ✅ fixed (d6e34fc / v1.8.3) |
Issues: #109 | – | Fixed | — |
| CVE-2019-19638 (NVD) | Integer overflow → heap BOF in load_pnm | S: ✅ fixed (93812d6 / v1.8.3) |
Issues: #102 / PRs: #106 | – | Fixed | — |
| CVE-2019-19637 (NVD) | Integer overflow in sixel_decode_raw_impl | S: ✅ fixed (93812d6 / v1.8.3) |
Issues: #105 / PRs: #106 | – | Fixed | — |
| CVE-2019-19636 (NVD) | Integer overflow in sixel_encode_body | S: ✅ fixed (93812d6 / v1.8.3) |
Issues: #104 / PRs: #106 | – | Fixed | — |
| CVE-2019-19635 (NVD) | Heap BOF in sixel_decode_raw_impl | S: ✅ fixed (93812d6 / v1.8.3) |
Issues: #103 / PRs: #106 | – | Fixed | — |
| CVE-2019-11024 (NVD) | Infinite recursion in load_pnm | S: ✅ fixed (b418f35 / v1.8.4) |
Issues: #85 | – | Fixed | — |
| CVE-2019-3574 (NVD) | Heap over-read in load_jpeg | S: ✅ fixed (614e761 / v1.8.3) |
Issues: #83 / PRs: #95 | – | Fixed | — |
| CVE-2019-3573 (NVD) | Infinite loop in sixel_decode_raw_impl | S: ✅ fixed (614e761 / v1.8.3) |
Issues: #83 / PRs: #95 | – | Fixed | — |
| CVE-2018-19763 (NVD) | Heap over-read in write_png_to_file (writer.c) | S: ✅ fixed (614e761 / v1.8.3) |
Issues: #82 / PRs: #95 | – | Fixed | — |
| CVE-2018-19762 (NVD) | Heap BOF in image_buffer_resize (fromsixel.c) | S: ✅ fixed (1af6800 / v1.8.3) |
Issues: #81 / PRs: #92 | – | Fixed | — |
| CVE-2018-19761 (NVD) | Invalid address access in sixel_decode_raw_impl | S: ✅ fixed (1377517 / v1.8.3) |
Issues: #78, #105 / PRs: #106 | – | Fixed | — |
| CVE-2018-19759 (NVD) | Heap over-read in stb_image_write | S: ✅ fixed (5f64fb1 / v1.8.3) |
Issues: #77 / PRs: #98 | – | Fixed | — |
| CVE-2018-19757 (NVD) | NULL deref in status.c | S: ✅ fixed (e903c93, a53c872 / v1.8.3) |
Issues: #79 / PRs: #91, #94 | – | Fixed | — |
| CVE-2018-19756 (NVD) | Heap over-read in vendored stb_image | S: ✅ fixed (v1.8.3) | Issues: #80 / PRs: #93 | – | Fixed | — |
| CVE-2018-14073 (NVD) | Memory leak in allocator_new | S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2) |
Issues: #67 | – | Fixed | — |
| CVE-2018-14072 (NVD) | Multiple memory leaks in decoder_decode etc. | S: ✅ fixed (f94bc6f, 84ed0bc / v1.8.2) |
Issues: #67 | – | Fixed | — |
Build/Dev Dependencies (Dependabot alerts)
| Package | Vulnerability / Advisory | Fix Status | Notes |
|---|---|---|---|
| rake (Ruby) | Multiple CVEs reported across versions <13.0.6 (e.g. command injection vectors) | S: ❌ (alerts open) / Forks: ❌ (PR bhohbaum/libsixel#1 updates rake) | Affects only Ruby build tasks (gem extconf / test), not the C runtime library. |
| minitest (Ruby) | Dependabot sometimes flags outdated versions with DoS risk | S: ❌ (not updated recently) | Purely test dependency; no impact on production libsixel usage. |
| other gems (rdoc, rubocop, etc.) | Occasionally flagged as “moderate” | Status varies | All are dev/test-only. |
Notes
- ✅ = fixed, ❌ = still open, 🟡 = uninvestigated / in progress.
- Debian switched from
saitoha/libsixelto the fork (libsixel/libsixel) starting at 1.10.3-1. - The fork itself is archived (2025-02-12), so new CVEs are no longer addressed there.
- The Dependabot alerts relate only to dev/test tooling (Ruby rake, minitest, etc.) and do not affect the runtime library, but they matter for GitHub’s security signals and downstream packaging.
