Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 696302 (CVE-2019-11471)

Summary: <media-libs/libheif-{1.4.1,1.5.1}: multiple vulnerabilities (CVE-2019-11471)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/strukturag/libheif/releases/tag/v1.5.0
Whiteboard: B3 [noglsa]
Package list:
media-libs/libheif-1.5.1 dev-lang/go-1.12.9 arm64
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-05 01:30:43 UTC 
CVE-2019-11471 (https://nvd.nist.gov/vuln/detail/CVE-2019-11471):
  libheif 1.4.0 has a use-after-free in
  heif::HeifContext::Image::set_alpha_channel in heif_context.h because
  heif_context.cc mishandles references to non-existing alpha images.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-05 01:33:25 UTC 
There's a bunch of additional fuzz-related fixes in libheif's upstream git repo (which are present in 1.5.1). Only one vuln got a CVE yet.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 19:25:50 UTC 
Let's go with =media-libs/libheif-1.5.1!
Comment 3 Stabilization helper bot gentoo-dev 2019-10-06 20:02:43 UTC 
An automated check of this bug failed - repoman reported dependency errors (6 lines truncated): 

> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['dev-lang/go']
> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['dev-lang/go']
> dependency.bad media-libs/libheif/libheif-1.5.1.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['dev-lang/go']
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 21:31:02 UTC 
x86 stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-10-07 03:11:32 UTC 
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-07 08:44:34 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Christian Strahl 2019-10-07 14:53:49 UTC 
This bug should be blocked by #696850
Comment 8 Larry the Git Cow gentoo-dev 2019-10-26 22:04:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=299c1ff0f29fab1d72daa3bf6a335a59f775fc02

commit 299c1ff0f29fab1d72daa3bf6a335a59f775fc02
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 22:03:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 22:04:19 +0000

    media-libs/libheif: security cleanup (#696302)
    
    Bug: https://bugs.gentoo.org/696302
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libheif/Manifest                        |  3 -
 .../libheif/files/libheif-1.3.2-openjpeg-2.patch   | 93 ----------------------
 media-libs/libheif/libheif-1.3.2-r1.ebuild         | 56 -------------
 media-libs/libheif/libheif-1.4.0.ebuild            | 58 --------------
 media-libs/libheif/libheif-1.4.1.ebuild            | 66 ---------------
 5 files changed, 276 deletions(-)
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 22:04:57 UTC 
GLSA Vote: no!

Repository is clean, all done!