1900810 – (CVE-2020-20739) CVE-2020-20739 vips: uninitialized variable in im_vips2dz function in im_vips2dz.c may leak remote server path or stack address

Bug 1900810 (CVE-2020-20739) - CVE-2020-20739 vips: uninitialized variable in im_vips2dz function in im_vips2dz.c may leak remote server path or stack address

Summary: CVE-2020-20739 vips: uninitialized variable in im_vips2dz function in im_vips...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-20739
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Benjamin Gilbert
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-23 18:37 UTC by Guilherme de Almeida Suckevicz
Modified:	2020-12-10 21:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-10 21:24:23 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-23 18:37:40 UTC

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

Reference:
https://github.com/libvips/libvips/issues/1419

Upstream patch:
https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a

Comment 1 Benjamin Gilbert 2020-11-30 03:43:09 UTC

Affects F32, but not F33 or higher.  Appears to be low severity.

Comment 2 Benjamin Gilbert 2020-12-06 06:12:10 UTC

https://bodhi.fedoraproject.org/updates/FEDORA-2020-d82261f7b1

Note You need to log in before you can comment on or make changes to this bug.