[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1059151: marked as done (libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464)

Your message dated Wed, 27 Dec 2023 06:19:16 +0000
with message-id <E1rING8-008G9B-Jk@fasolo.debian.org>
and subject line Bug#1059151: fixed in libheif 1.17.6-1
has caused the Debian Bug report #1059151,
regarding libheif: CVE-2023-49460 CVE-2023-49462 CVE-2023-49463 CVE-2023-49464
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1059151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059151
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: libheif
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libheif.

CVE-2023-49460[0]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function UncompressedImageCodec::decode_uncompressed_image.

https://github.com/strukturag/libheif/issues/1046
https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76

CVE-2023-49462[1]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the component /libheif/exif.cc.

https://github.com/strukturag/libheif/issues/1043
https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969

CVE-2023-49463[2]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function find_exif_tag at /libheif/exif.cc.

https://github.com/strukturag/libheif/issues/1042
https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf

CVE-2023-49464[3]:
| libheif v1.17.5 was discovered to contain a segmentation violation
| via the function UncompressedImageCodec::get_luma_bits_per_pixel_fro
| m_configuration_unci.

https://github.com/strukturag/libheif/issues/1044
https://github.com/strukturag/libheif/pull/1049
https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49460
    https://www.cve.org/CVERecord?id=CVE-2023-49460
[1] https://security-tracker.debian.org/tracker/CVE-2023-49462
    https://www.cve.org/CVERecord?id=CVE-2023-49462
[2] https://security-tracker.debian.org/tracker/CVE-2023-49463
    https://www.cve.org/CVERecord?id=CVE-2023-49463
[3] https://security-tracker.debian.org/tracker/CVE-2023-49464
    https://www.cve.org/CVERecord?id=CVE-2023-49464

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- 
Source: libheif
Source-Version: 1.17.6-1
Done: Joachim Bauch <bauch@struktur.de>

We believe that the bug you reported is fixed in the latest version of
libheif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1059151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Bauch <bauch@struktur.de> (supplier of updated libheif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 Dec 2023 10:45:41 +0100
Source: libheif
Architecture: source
Version: 1.17.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Joachim Bauch <bauch@struktur.de>
Closes: 1059151
Changes:
 libheif (1.17.6-1) unstable; urgency=medium
 .
   * New upstream version 1.17.6
   * Fixes CVE-2023-49460, CVE-2023-49462, CVE-2023-49463,
     CVE-2023-49464 (Closes: #1059151).
   * Remove patch now applied upstream.
Checksums-Sha1:
 b62a7b3b2d2861a971be478cedaed90120d88c71 3071 libheif_1.17.6-1.dsc
 161ae1fd91f56156298e881f3ba51611910e9c4c 1433302 libheif_1.17.6.orig.tar.gz
 4bb108f880ff8264c8d055917acfd5e7fdf7f192 9420 libheif_1.17.6-1.debian.tar.xz
 c34db175b58b020cb3a543a839f02b019afc56e3 8424 libheif_1.17.6-1_source.buildinfo
Checksums-Sha256:
 ace5f7eabe936084ab07f6051c47c07dd817e22e51e87307de0cb935edd5d7c3 3071 libheif_1.17.6-1.dsc
 8390baf4913eda0a183e132cec62b875fb2ef507ced5ddddc98dfd2f17780aee 1433302 libheif_1.17.6.orig.tar.gz
 de9c9f0ab4c4290d99e9af74c6d29c0c78396c7a65ccfed99822e6f35c6d5a02 9420 libheif_1.17.6-1.debian.tar.xz
 767f91ee194f3873ba51609a19b591a4a7989110cb515b4fc47739f3df3cd899 8424 libheif_1.17.6-1_source.buildinfo
Files:
 6e2723b6073faa15bc011b59b0689146 3071 libs optional libheif_1.17.6-1.dsc
 563e2ecd15f1ca98ccb13388ee873ebe 1433302 libs optional libheif_1.17.6.orig.tar.gz
 3eae9b64693b244c4a53e20fd411d6fd 9420 libs optional libheif_1.17.6-1.debian.tar.xz
 e5129bbdaebeb5812aba346e7d5fcd4d 8424 libs optional libheif_1.17.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmWLu4sACgkQO1LKKgqv
2VQH4wgAx4PzkYvW/A0LHnHmmRzMqUl9sYBtEWbBPmgKCE7tIkwhVQm9FF7NkPmp
D1OLxZzzfW/SyzdWPz53k2t+nsPfzz1B4ogJ+MlwJADOg8uGWl3D71VEPNBiQjjk
ejYJmBOov6iKaIcs5Ezn4RKbmeMnTKJAGpHbF/RWSolhWybo8daqaSbyghoVE4hM
nC/K5pgZalCmKgetHzRPL20TUNdCZfMn42he5P/58KILzmzjk24Z7pTLFH2V/sQM
n8v+03yfWy3o/gmc9m6HZMTsLWeaptq/YCmMx0hXYSSNgC4qATSwvqzw0Rbd7AUy
ACdUqm6Eus16YUgZXgS/0UloAccgUw==
=JOt2
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: