33662 – libheif new security issue CVE-2024-41311

Bug 33662 - libheif new security issue CVE-2024-41311

Summary: libheif new security issue CVE-2024-41311

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-10-23 15:47 CEST by Nicolas Salguero
Modified:	2024-11-09 06:51 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libheif-1.16.2-1.1.mga9.src.rpm
CVE:	CVE-2024-41311
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-10-23 15:47:32 CEST

Ubuntu has issued an advisory on October 23:
https://ubuntu.com/security/notices/USN-7082-1

Comment 1 Nicolas Salguero 2024-10-23 15:48:51 CEST

According to https://security-tracker.debian.org/tracker/CVE-2024-41311, the fix is https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36

Source RPM: (none) => libheif-1.16.2-1.1.mga9.src.rpm
CVE: (none) => CVE-2024-41311
Status comment: (none) => Fixed upstream in 1.18.0 and patch available from upstream

Comment 2 Marja Van Waes 2024-10-23 16:23:47 CEST

Assigning to libheif's registered maintainer.

Assignee: bugsquad => smelror
CC: (none) => marja11

Comment 3 Nicolas Salguero 2024-11-07 14:37:26 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write. (CVE-2024-41311)

References:
https://ubuntu.com/security/notices/USN-7082-1
========================

Updated packages in core/updates_testing:
========================
lib(64)heif1-1.16.2-1.2.mga9
lib(64)heif-devel-1.16.2-1.2.mga9
libheif-1.16.2-1.2.mga9

from SRPM:
libheif-1.16.2-1.2.mga9.src.rpm

Status comment: Fixed upstream in 1.18.0 and patch available from upstream => (none)
Status: NEW => ASSIGNED

Nicolas Salguero 2024-11-07 14:41:06 CET

Assignee: smelror => qa-bugs

katnatek 2024-11-07 18:56:06 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-11-08 00:37:56 CET

Doesn't this library have both core and tainted versions?

CC: (none) => andrewsfarm

Comment 5 katnatek 2024-11-08 03:00:46 CET

(In reply to Thomas Andrews from comment #4)
> Doesn't this library have both core and tainted versions?

It was in https://bugs.mageia.org/show_bug.cgi?id=33332#c2

Comment 6 Nicolas Salguero 2024-11-08 08:15:37 CET

Ooops! Sorry!

Updated packages in tainted/updates_testing:
========================
lib(64)heif1-1.16.2-1.2.mga9.tainted
lib(64)heif-devel-1.16.2-1.2.mga9.tainted
libheif-1.16.2-1.2.mga9.tainted

from SRPM:
libheif-1.16.2-1.2.mga9.tainted.src.rpm

Comment 7 Thomas Andrews 2024-11-08 14:12:27 CET

(In reply to Nicolas Salguero from comment #6)
> Ooops! Sorry!
> 
No worries. That's why we are here. 

I can test this one later today.

Comment 8 Thomas Andrews 2024-11-09 02:06:22 CET

Tested core packages in an "untainted" VirtualBox MGA9-64 Plasma guest. No installation issues. Tested with Gimp, which was able to load and display images in heic format, but not export into it. Looks OK here.

Tested tainted packages in another VirtualBox MGA9-64 Plasma guest. No installation issues. Gimp was able to load and display the heic image, as before. After loading a jpg image, I was able to export it in heic format. Looks OK here, too.

Giving this an OK, and validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Dan Fandrich 2024-11-09 05:31:27 CET

The .adv file doesn't list the tainted version. Shouldn't it as well?

CC: (none) => dan

Comment 10 katnatek 2024-11-09 05:42:18 CET

(In reply to Dan Fandrich from comment #9)
> The .adv file doesn't list the tainted version. Shouldn't it as well?

Yes, please add it, if you can
If nit I'll do tomorrow

Comment 11 Mageia Robot 2024-11-09 06:18:51 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0352.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 12 Dan Fandrich 2024-11-09 06:35:14 CET

Oops, I didn't mean to start pushing this before getting an answer to comment #9 but it looks like I did. I'll update the advisory with the tainted version then move it manually.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 13 Dan Fandrich 2024-11-09 06:51:27 CET

Done.

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.