Lucene search

GoogleOSV:GHSA-22FX-6R9M-R8H9

HistoryMay 05, 2023 - 6:30 p.m.

libheif vulnerable to segmentation fault via floating point exception

2023-05-0518:30:17

Google

osv.dev

libheif

segmentation fault

vulnerability

denial of service

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

29.6%

JSON

A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.

References

github.com/strukturag/libheif

github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991

github.com/strukturag/libheif/issues/794

lists.fedoraproject.org/archives/list/[email protected]/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ

lists.fedoraproject.org/archives/list/[email protected]/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L

nvd.nist.gov/vuln/detail/CVE-2023-29659

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

29.6%

JSON

Related for OSV:GHSA-22FX-6R9M-R8H9