CVE-2024-40630

2024-07-1500:00:00

ubuntu.com

openimageio

heif input

information disclosure

vulnerability

upgrade

unix

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

JSON

OpenImageIO is a toolset for reading, writing, and manipulating image files
of any image file format relevant to VFX / animation via a format-agnostic
API with a feature set, scalability, and robustness needed for feature film
production. In affected versions there is a bug in the heif input
functionality of OpenImageIO. Specifically, in
HeifInput::seek_subimage(). In the worst case, this can lead to an
information disclosure vulnerability, particularly for programs that
directly use the ImageInput APIs. This bug has been addressed in commit
0a2dcb4c which is included in the 2.5.13.1 release. Users are advised to
upgrade. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchopenimageio< anyUNKNOWN
ubuntu20.04noarchopenimageio< anyUNKNOWN
ubuntu22.04noarchopenimageio< anyUNKNOWN
ubuntu24.04noarchopenimageio< anyUNKNOWN
ubuntu16.04noarchopenimageio< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	openimageio	< any	UNKNOWN
ubuntu	20.04	noarch	openimageio	< any	UNKNOWN
ubuntu	22.04	noarch	openimageio	< any	UNKNOWN
ubuntu	24.04	noarch	openimageio	< any	UNKNOWN
ubuntu	16.04	noarch	openimageio	< any	UNKNOWN