33332 – libheif new security issues CVE-2023-4946[0234]

Bug 33332 - libheif new security issues CVE-2023-4946[0234]

Summary: libheif new security issues CVE-2023-4946[0234]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2024-06-26 15:27 CEST by Nicolas Salguero
Modified:	2024-06-28 04:42 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libheif-1.16.2-1.mga9.src.rpm
CVE:	CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464
Status comment:	Patches available from Ubuntu

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-26 15:27:44 CEST

Ubuntu has released an advisory on June 25:
https://ubuntu.com/security/notices/USN-6847-1

Nicolas Salguero 2024-06-26 15:28:13 CEST

CVE: (none) => CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464
Status comment: (none) => Patches available from Ubuntu
Source RPM: (none) => libheif-1.16.2-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-06-26 21:31:44 CEST

The following links are to patches; but sometimes the same issue has several; or I could not find a patch. It is a nightmare.

https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014

https://github.com/strukturag/libheif/compare/ebafe361ac626e463c040472aee9023c46d76dcb..55cc0d8b66de5e21b18b8ebeee9e3afce9adfb05

https://github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991

https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76

https://github.com/bradh/libheif/commit/357a32cf90051efa8824f38fecb3b921b81d14b8

https://github.com/bradh/libheif/commit/ca8b64a0007cb8e895e45301ed361624fac0b017

https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287

Assigning to DavidG who currently commits this pkg.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2024-06-27 06:37:20 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libheif-1.16.2-1.1.mga9
libheif-devel-1.16.2-1.1.mga9
libheif1-1.16.2-1.1.mga9
lib64heif-devel-1.16.2-1.1.mga9
lib64heif1-1.16.2-1.1.mga9

Packages in 9/Tainted/Updates_testing:
========================
libheif-1.16.2-1.1.mga9.tainted
libheif-devel-1.16.2-1.1.mga9.tainted
libheif1-1.16.2-1.1.mga9.tainted
lib64heif-devel-1.16.2-1.1.mga9.tainted
lib64heif1-1.16.2-1.1.mga9.tainted

From SRPMS:
libheif-1.16.2-1.1.mga9.src.rpm
libheif-1.16.2-1.1.mga9.tainted.src.rpm

Assignee: geiger.david68210 => qa-bugs

katnatek 2024-06-27 22:22:07 CEST

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-06-28 03:47:26 CEST

Referenced Bug 31768 Comment 4 for testing.

Updated the core packages in an "untainted" VirtualBox MGA9-64 guest, then used Gimp to load and display an heif image that had been downloaded from the Internet. Trying to export the image in heif format wasn't allowed. No issues there.

Updated the tainted packages in another VirtualBox MGA9-64 guest, then once again used Gimp to load and display a downloaded heif image. This time, however, I was able to export the image in heif format. No issues there, either.

Looks good here. Validating.

Keywords: (none) => has_procedure, validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2024-06-28 04:42:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.