Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 696302 (CVE-2019-11471) - <media-libs/libheif-{1.4.1,1.5.1}: multiple vulnerabilities (CVE-2019-11471)
Summary: <media-libs/libheif-{1.4.1,1.5.1}: multiple vulnerabilities (CVE-2019-11471)
Status: RESOLVED FIXED
Alias: CVE-2019-11471
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/strukturag/libheif...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-05 01:30 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 22:04 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libheif-1.5.1 dev-lang/go-1.12.9 arm64
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-05 01:30:43 UTC 
CVE-2019-11471 (https://nvd.nist.gov/vuln/detail/CVE-2019-11471):
  libheif 1.4.0 has a use-after-free in
  heif::HeifContext::Image::set_alpha_channel in heif_context.h because
  heif_context.cc mishandles references to non-existing alpha images.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-05 01:33:25 UTC 
There's a bunch of additional fuzz-related fixes in libheif's upstream git repo (which are present in 1.5.1). Only one vuln got a CVE yet.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 19:25:50 UTC 
Let's go with =media-libs/libheif-1.5.1!
Comment 3 Stabilization helper bot gentoo-dev 2019-10-06 20:02:43 UTC 
An automated check of this bug failed - repoman reported dependency errors (6 lines truncated): 

> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['dev-lang/go']
> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['dev-lang/go']
> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['dev-lang/go']
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 21:31:02 UTC 
x86 stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-10-07 03:11:32 UTC 
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-07 08:44:34 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Christian Strahl 2019-10-07 14:53:49 UTC 
This bug should be blocked by #696850
Comment 8 Larry the Git Cow gentoo-dev 2019-10-26 22:04:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=299c1ff0f29fab1d72daa3bf6a335a59f775fc02

commit 299c1ff0f29fab1d72daa3bf6a335a59f775fc02
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 22:03:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 22:04:19 +0000

    media-libs/libheif: security cleanup (#696302)
    
    Bug: https://bugs.gentoo.org/696302
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libheif/Manifest                        |  3 -
 .../libheif/files/libheif-1.3.2-openjpeg-2.patch   | 93 ----------------------
 media-libs/libheif/libheif-1.3.2-r1.ebuild         | 56 -------------
 media-libs/libheif/libheif-1.4.0.ebuild            | 58 --------------
 media-libs/libheif/libheif-1.4.1.ebuild            | 66 ---------------
 5 files changed, 276 deletions(-)
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 22:04:57 UTC 
GLSA Vote: no!

Repository is clean, all done!