Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 954132 (CVE-2025-43967)

Summary: <media-libs/libheif-1.19.7: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 943172, 954133    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-21 06:49:13 UTC 
Prompted by https://bugs.gentoo.org/953971#c3. I took a further look now and found some bits (didn't see anything in release notes so wasn't too worried yesterday).

--

* CVE-2025-43966

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc.

* CVE-2025-43967

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item.