Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 897904 (CVE-2023-0996, CVE-2023-29659) - <media-libs/libheif-1.15.2: buffer overflow
Summary: <media-libs/libheif-1.15.2: buffer overflow
Status: IN_PROGRESS
Alias: CVE-2023-0996, CVE-2023-29659
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-26 17:03 UTC by John Helmert III
Modified: 2023-09-07 06:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:03:43 UTC
CVE-2023-0996 (https://github.com/strukturag/libheif/pull/759):
https://govtech-csg.github.io/security-advisories/2023/02/24/CVE-2023-0996.html

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

Patch is in >=1.15.0: https://github.com/strukturag/libheif/commit/3c8e92448c10a57a7f1ec8536c6e5427fb2c7c62
Comment 1 Jakov Smolić archtester gentoo-dev 2023-04-11 10:47:52 UTC
From ed6ed01d61b2aa3d65236a3f4d72a0f3f7d5b092 Mon Sep 17 00:00:00 2001
From: Guillermo Joandet <gjoandet@gmail.com>
Date: Sat, 8 Apr 2023 21:14:25 -0300
Subject: media-libs/libheif: Version bump to 1.15.2
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 23:06:07 UTC
Thanks! Please stabilize when ready.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-07 04:46:12 UTC
CVE-2023-29659 (https://github.com/strukturag/libheif/issues/794):

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.

Fix is in 1.15.2.