Bug 33332

Summary:	libheif new security issues CVE-2023-4946[0234]
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, sysadmin-bugs
Version:	9	Keywords:	advisory, has_procedure, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	libheif-1.16.2-1.mga9.src.rpm	CVE:	CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464
Status comment:	Patches available from Ubuntu

Description Nicolas Salguero 2024-06-26 15:27:44 CEST

Ubuntu has released an advisory on June 25:
https://ubuntu.com/security/notices/USN-6847-1

Nicolas Salguero 2024-06-26 15:28:13 CEST

CVE: (none) => CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464
Status comment: (none) => Patches available from Ubuntu
Source RPM: (none) => libheif-1.16.2-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-06-26 21:31:44 CEST

The following links are to patches; but sometimes the same issue has several; or I could not find a patch. It is a nightmare.

https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014

https://github.com/strukturag/libheif/compare/ebafe361ac626e463c040472aee9023c46d76dcb..55cc0d8b66de5e21b18b8ebeee9e3afce9adfb05

https://github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991

https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76

https://github.com/bradh/libheif/commit/357a32cf90051efa8824f38fecb3b921b81d14b8

https://github.com/bradh/libheif/commit/ca8b64a0007cb8e895e45301ed361624fac0b017

https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287

Assigning to DavidG who currently commits this pkg.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2024-06-27 06:37:20 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libheif-1.16.2-1.1.mga9
libheif-devel-1.16.2-1.1.mga9
libheif1-1.16.2-1.1.mga9
lib64heif-devel-1.16.2-1.1.mga9
lib64heif1-1.16.2-1.1.mga9

Packages in 9/Tainted/Updates_testing:
========================
libheif-1.16.2-1.1.mga9.tainted
libheif-devel-1.16.2-1.1.mga9.tainted
libheif1-1.16.2-1.1.mga9.tainted
lib64heif-devel-1.16.2-1.1.mga9.tainted
lib64heif1-1.16.2-1.1.mga9.tainted

From SRPMS:
libheif-1.16.2-1.1.mga9.src.rpm
libheif-1.16.2-1.1.mga9.tainted.src.rpm

Assignee: geiger.david68210 => qa-bugs

katnatek 2024-06-27 22:22:07 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-06-28 03:47:26 CEST

Referenced Bug 31768 Comment 4 for testing.

Updated the core packages in an "untainted" VirtualBox MGA9-64 guest, then used Gimp to load and display an heif image that had been downloaded from the Internet. Trying to export the image in heif format wasn't allowed. No issues there.

Updated the tainted packages in another VirtualBox MGA9-64 guest, then once again used Gimp to load and display a downloaded heif image. This time, however, I was able to export the image in heif format. No issues there, either.

Looks good here. Validating.

Keywords: (none) => has_procedure, validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2024-06-28 04:42:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED