Bug 31768

Summary: libheif new security issue CVE-2023-0996
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libheif-1.10.0-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-04-06 19:00:58 CEST 
SUSE has issued an advisory on April 5:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014381.html

The bug link is missing from the advisory, it is here:
https://bugzilla.suse.com/show_bug.cgi?id=1208640

The upstream commit that fixed the issue is referenced there.

Mageia 8 is also affected.
David Walser 2023-04-06 19:01:40 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2023-04-08 20:16:18 CEST 
Stig looks after libheif, so assigning this to you.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-04-09 22:43:26 CEST 
This fix was merged in January and version 1.15.2 was published in March. Hence Cauldron is not affected.

Will push an update for MGA8 an a backported fix.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: libheif-1.15.2-1.mga9.src.rpm => libheif-1.10.0-1.1.mga8.src.rpm

Comment 3 Stig-Ørjan Smelror 2023-04-10 06:59:39 CEST 
Advisory
========

An upstream patch has been backported to fix CVE-2023-0996.

CVE-2023-0996: There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call. 

References
==========
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014381.html
https://bugzilla.suse.com/show_bug.cgi?id=1208640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0996

Files
=====

Uploaded to core/updates_testing

lib64heif-devel-1.10.0-1.2.mga8
libheif-1.10.0-1.2.mga8
lib64heif1-1.10.0-1.2.mga8

Uploaded to tainted/updates_testing

lib64heif-devel-1.10.0-1.2.mga8.tainted
libheif-1.10.0-1.2.mga8.tainted
lib64heif1-1.10.0-1.2.mga8.tainted

from libheif-1.10.0-1.2.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2023-04-10 14:32:22 CEST

Status comment: Patch available from upstream => (none)
CC: (none) => smelror

Comment 4 Thomas Andrews 2023-04-13 00:27:11 CEST 
No installation issues.

Updated the core packages in a VirtualBox "untainted" mga8-64 Plasma guest, after which I was able to load and display a sample heif image, but was not allowed to export into that format. Looks OK there.

Updated the tainted packages in another VirtualBox guest. Loaded the same image as above into Gimp, but this time was able to export it to a different folder in the same format. Ok there, too.

Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-04-15 18:29:46 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-04-15 21:05:31 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED