Bug#1032101: marked as done (libheif: CVE-2023-0996)
Your message dated Thu, 02 Mar 2023 00:29:09 +0000
with message-id <E1pXWon-000Eqo-0O@fasolo.debian.org>
and subject line Bug#1032101: fixed in libheif 1.15.1-1
has caused the Debian Bug report #1032101,
regarding libheif: CVE-2023-0996
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1032101: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032101
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libheif: CVE-2023-0996
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Mon, 27 Feb 2023 23:11:56 +0100
- Message-id: <Y/0qrAiFR1PyzW9R@pisco.westfalen.local>
Source: libheif
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libheif.
CVE-2023-0996[0]:
| There is a vulnerability in the strided image data parsing code in the
| emscripten wrapper for libheif. An attacker could exploit this through
| a crafted image file to cause a buffer overflow in linear memory
| during a memcpy call.
https://github.com/strukturag/libheif/pull/759
https://govtech-csg.github.io/security-advisories/2023/02/24/CVE-2023-0996.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-0996
https://www.cve.org/CVERecord?id=CVE-2023-0996
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libheif
Source-Version: 1.15.1-1
Done: Sebastian Ramacher <sramacher@debian.org>
We believe that the bug you reported is fixed in the latest version of
libheif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1032101@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated libheif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Mar 2023 00:09:34 +0100
Source: libheif
Architecture: source
Version: 1.15.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 1029668 1032101
Changes:
libheif (1.15.1-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.15.1
- Fix CVE-2023-0996 (Closes: #1032101)
- Do not fail if no plugin directory is available (Closes: #1029668)
* debian/libheif1.symbols: Add new symbols
* debian/*.install: Update for new upstream release
Checksums-Sha1:
0e7b4c1964fa2af3945970de3a977ee339870eba 2290 libheif_1.15.1-1.dsc
c73aa096a5e218ff7dfdfacaa4c574843a43a380 1749018 libheif_1.15.1.orig.tar.gz
67f821322e40cdb5cf15c8210b544f6192312513 7780 libheif_1.15.1-1.debian.tar.xz
Checksums-Sha256:
98f754acc2d36c3dc58dd8f5d86a608995378172fb11a1e209da638456942201 2290 libheif_1.15.1-1.dsc
28d5a376fe7954d2d03453f983aaa0b7486f475c27c7806bda31df9102325556 1749018 libheif_1.15.1.orig.tar.gz
e7bf281fec0bbeaaacdaddb10585de27809c3bd5e80efa1f86943869e0f16fa9 7780 libheif_1.15.1-1.debian.tar.xz
Files:
394d6a41c768008da8cf9e078b29811f 2290 libs optional libheif_1.15.1-1.dsc
220c2e35176cf88b48f943b0cdd0fd8e 1749018 libs optional libheif_1.15.1.orig.tar.gz
dfe55d84f4f808081bbe4b2ad44b1b72 7780 libs optional libheif_1.15.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmP/24MACgkQafL8UW6n
GZOPXQ//ZafdMNecZpHz2pX3OlFsM0EtQrw1RcLNehyf4YwLf7/77c8W1jiNHNCW
KlZ1a+s/f7SKrCWljwnBZX+OzbjqHrat8EJzcsF9QDcktID/xrbo5ZZ7qFeIe8db
loxp+3WGe3GwoyXs+ThT8D/jTQvglLZjodW5bCSC1o3a41Z4pEmw764AeW5NYHDf
AtU8Y2ZRSaz3f/MjiYP5sDpMurak1W4Solpnrml9I0jAenNFTh8VHi8a2So9NwbS
F71X1oSsaJBuuV/YTT+VUcHX1SEgdG9eCYaU2EpnoLc+4+b5U8Nu/bO+Sfy98GHV
lVdMGMaCZ8x6vbXz3+J0042zpXOckXT+D2gm5XfMOQGewyyQ3VC3QBEFiLhf0KQH
PFN6vegt0AjYAwwi7oXtPka4Az8LQTJc8GpBew7FeBClEGzOq8LYBtI9QO3Ny4EF
Mu8sl0SsZ+aOKWfjeXOGZOdmE42ykBiypj1FVgvY8hgu47XqYVQ2FcHzWtlEuH5g
Cmmgfut2wTU638l/GlugNA8j6d/K2yd/2onWpgBTQFEV6IXrPrd3sRpVina/8WOp
plZgi2VxJEWvn1xPh6LGOmHGBOvVjh9gok2uN+i9p94HcGTzTlf6QzpTbxhlSJUD
Yk2VKU5DMzXULBkHi7j19WpKdLDeiKZZFMUOfiODIarLnkB+ugI=
=a8PZ
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: