31768 – libheif new security issue CVE-2023-0996

Bug 31768 - libheif new security issue CVE-2023-0996

Summary: libheif new security issue CVE-2023-0996

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-04-06 19:00 CEST by David Walser
Modified:	2023-04-15 21:05 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	libheif-1.10.0-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-06 19:00:58 CEST

SUSE has issued an advisory on April 5:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014381.html

The bug link is missing from the advisory, it is here:
https://bugzilla.suse.com/show_bug.cgi?id=1208640

The upstream commit that fixed the issue is referenced there.

Mageia 8 is also affected.

David Walser 2023-04-06 19:01:40 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2023-04-08 20:16:18 CEST

Stig looks after libheif, so assigning this to you.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-04-09 22:43:26 CEST

This fix was merged in January and version 1.15.2 was published in March. Hence Cauldron is not affected.

Will push an update for MGA8 an a backported fix.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: libheif-1.15.2-1.mga9.src.rpm => libheif-1.10.0-1.1.mga8.src.rpm

Comment 3 Stig-Ørjan Smelror 2023-04-10 06:59:39 CEST

Advisory
========

An upstream patch has been backported to fix CVE-2023-0996.

CVE-2023-0996: There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call. 

References
==========
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014381.html
https://bugzilla.suse.com/show_bug.cgi?id=1208640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0996

Files
=====

Uploaded to core/updates_testing

lib64heif-devel-1.10.0-1.2.mga8
libheif-1.10.0-1.2.mga8
lib64heif1-1.10.0-1.2.mga8

Uploaded to tainted/updates_testing

lib64heif-devel-1.10.0-1.2.mga8.tainted
libheif-1.10.0-1.2.mga8.tainted
lib64heif1-1.10.0-1.2.mga8.tainted

from libheif-1.10.0-1.2.mga8.src.rpm

Assignee: smelror => qa-bugs

David Walser 2023-04-10 14:32:22 CEST

Status comment: Patch available from upstream => (none)
CC: (none) => smelror

Comment 4 Thomas Andrews 2023-04-13 00:27:11 CEST

No installation issues.

Updated the core packages in a VirtualBox "untainted" mga8-64 Plasma guest, after which I was able to load and display a sample heif image, but was not allowed to export into that format. Looks OK there.

Updated the tainted packages in another VirtualBox guest. Loaded the same image as above into Gimp, but this time was able to export it to a different folder in the same format. Ok there, too.

Validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-04-15 18:29:46 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-04-15 21:05:31 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.