Bug#1014125: libheif: CVE-2020-23109

To: submit@bugs.debian.org
Subject: Bug#1014125: libheif: CVE-2020-23109
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 30 Jun 2022 16:48:45 +0200
Message-id: <Yr23zTNMCK573A/Z@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1014125@bugs.debian.org

Source: libheif
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libheif.

CVE-2020-23109[0]:
| Buffer overflow vulnerability in function convert_colorspace in
| heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a
| denial of service and disclose sensitive information, via a crafted
| HEIF file.

https://github.com/strukturag/libheif/issues/207

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-23109
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109

Please adjust the affected versions in the BTS as needed.

Reply to:

Prev by Date: Bug#1013671: (no subject)
Next by Date: Processed: [bts-link] source package src:handbrake
Previous by thread: mpg123_1.30.0-1_source.changes ACCEPTED into unstable
Next by thread: [bts-link] source package src:handbrake
Index(es):
- Date
- Thread