Bug#1124317: libheif: CVE-2025-68431

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1124317: libheif: CVE-2025-68431
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 30 Dec 2025 12:45:22 +0100
Message-id: <[🔎] 176709512254.32369.16634259379064272395.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1124317@bugs.debian.org

Source: libheif
Version: 1.20.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libheif.

CVE-2025-68431[0]:
| libheif is an HEIF and AVIF file format decoder and encoder. Prior
| to version 1.21.0, a crafted HEIF that exercises the overlay image
| item path triggers a heap buffer over-read in
| `HeifPixelImage::overlay()`. The function computes a negative row
| length (likely from an unclipped overlay rectangle or invalid
| offsets), which then underflows when converted to `size_t` and is
| passed to `memcpy`, causing a very large read past the end of the
| source plane and a crash. Version 1.21.0 contains a patch. As a
| workaround, avoid decoding images using `iovl` overlay boxes.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-68431
    https://www.cve.org/CVERecord?id=CVE-2025-68431
[1] https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
[2] https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: pd-readanysf is marked for autoremoval from testing
Next by Date: Processing of openshot-qt_3.4.0+dfsg1-1_amd64.changes
Previous by thread: Bug#1124291: mpv: leftover empty dir
Next by thread: Processing of openshot-qt_3.4.0+dfsg1-1_amd64.changes
Index(es):
- Date
- Thread