Bug 2253565 (CVE-2023-49463)
| Summary: | CVE-2023-49463 libheif: find_exif_tag SEGV | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A heap buffer overflow flaw was found in the find_exif_tag function in libheif. This flaw allows an attacker to cause a crash or other possible unspecified impacts. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2253566 | ||
| Bug Blocks: | |||
|
Description
Nick Tait
2023-12-07 22:53:55 UTC
Created libheif tracking bugs for this issue: Affects: fedora-all [bug 2253566] Is this https://github.com/strukturag/libheif/issues/1042 ? Please link to upstream tickets in these bug reports. They're useless otherwise. Hey Dominik, sorry for the very sparse report. Yes, that is the correct issue link. RH ProdSec uses a special field to share those kinds of links, it shows up on a full CVE page as "external references" however in the case of a flaw which exclusively affects community projects, there is no CVE page and that particular data isn't visible thru bugzilla. I had no idea it worked like. In future I'll be more careful to also paste links into the first comment so it is readily available to the people who need it. |