Bug 1900810 (CVE-2020-20739)

Summary: CVE-2020-20739 vips: uninitialized variable in im_vips2dz function in im_vips2dz.c may leak remote server path or stack address
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Benjamin Gilbert <bgilbert>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam, bgilbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-10 21:24:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Guilherme de Almeida Suckevicz 2020-11-23 18:37:40 UTC 
im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

Reference:
https://github.com/libvips/libvips/issues/1419

Upstream patch:
https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a
Comment 1 Benjamin Gilbert 2020-11-30 03:43:09 UTC 
Affects F32, but not F33 or higher.  Appears to be low severity.
Comment 2 Benjamin Gilbert 2020-12-06 06:12:10 UTC 
https://bodhi.fedoraproject.org/updates/FEDORA-2020-d82261f7b1