im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address. Reference: https://github.com/libvips/libvips/issues/1419 Upstream patch: https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a
Affects F32, but not F33 or higher. Appears to be low severity.
https://bodhi.fedoraproject.org/updates/FEDORA-2020-d82261f7b1