Bug#1059151: libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464

To: submit@bugs.debian.org
Subject: Bug#1059151: libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 20 Dec 2023 16:54:03 +0100
Message-id: <[🔎] ZYMOGy7gSDqjNsEc@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1059151@bugs.debian.org

Source: libheif
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libheif.

CVE-2023-49460[0]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function UncompressedImageCodec::decode_uncompressed_image.

https://github.com/strukturag/libheif/issues/1046
https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76

CVE-2023-49462[1]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the component /libheif/exif.cc.

https://github.com/strukturag/libheif/issues/1043
https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969

CVE-2023-49463[2]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function find_exif_tag at /libheif/exif.cc.

https://github.com/strukturag/libheif/issues/1042
https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf

CVE-2023-49464[3]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function UncompressedImageCodec::get_luma_bits_per_pixel_fro
| m_configuration_unci.

https://github.com/strukturag/libheif/issues/1044
https://github.com/strukturag/libheif/pull/1049
https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49460
    https://www.cve.org/CVERecord?id=CVE-2023-49460
[1] https://security-tracker.debian.org/tracker/CVE-2023-49462
    https://www.cve.org/CVERecord?id=CVE-2023-49462
[2] https://security-tracker.debian.org/tracker/CVE-2023-49463
    https://www.cve.org/CVERecord?id=CVE-2023-49463
[3] https://security-tracker.debian.org/tracker/CVE-2023-49464
    https://www.cve.org/CVERecord?id=CVE-2023-49464

Please adjust the affected versions in the BTS as needed.

Reply to:

Follow-Ups:
- Bug#1059151: marked as done (libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: ardour_8.2.0+ds-1_source.changes ACCEPTED into unstable
Next by Date: Processed: tagging 1059151, tagging 1059152
Previous by thread: ardour_8.2.0+ds-1_source.changes ACCEPTED into unstable
Next by thread: Bug#1059151: marked as done (libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464)
Index(es):
- Date
- Thread