Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 40: FEDORA-2025-666aaa6a0d critical: libheif OOB read

fedora
Calendar Grey February 15, 2025
Dist Fedora Esm H88
The Fedora 40 update for libheif brings vital improvements to image support and resolves multiple reading issues, alongside important security updates for protection
Latest upstream release

Summary

libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format)

file format decoder and encoder.

Update Information:

Latest upstream release. It adds support for tiles and fixes reading images generated by iOS 18+. See https://github.com/strukturag/libheif/releases for more details about the changes since 1.17.6. NOTE: heif-convert tool was renamed to heif-dec. How to test: Download and unzip sample images from mastodon issue #31570. Try opening them with e.g. loupe or gimp. They fail to open with libheif-1.17.6, but should open successfully with libheif-1.19.5. Fixes CVE-2024-41311 .

Topics%20covered

Topics Covered

security advisory critical issue update software update Fedora threat vulnerability image format libheif files OOB read

Change Log

* Wed Feb 5 2025 Robert-André Mauchin - 1.19.5-3 - Rebuilt for aom 3.11.0 * Fri Jan 17 2025 Fedora Release Engineering - 1.19.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Sun Nov 24 2024 Packit - 1.19.5-1 - Update to version 1.19.5 - Resolves: rhbz#2327307 * Sun Nov 17 2024 Dominik Mierzejewski - 1.19.3-3 - disable OpenJPH encoder support to work-around crashes * Sat Nov 16 2024 Sérgio Basto - 1.19.3-2 - Add support to multilib in devel sub-package - Resolves: rhbz#2279891 * Tue Nov 12 2024 Dominik Mierzejewski - 1.19.3-1 - update to 1.19.3 (resolves rhbz#2295525) - drop obsolete patches - enable OpenH264, OpenJPH (64-bit only) and Brotli decoders - run tests unconditionally, they no longer require special build options - drop conditional hevc subpackage - use fewer wildcards in the file lists - stop building rav1e and svt AV1 encoders as plugins * Thu Jul 18 2024 Fedora Release Engineering - 1.17.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild

References


[ 1 ] Bug #2319289 - CVE-2024-41311 libheif: OOB read and write via ImageOverlay::parse() [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2319289 [ 2 ] Bug #2332519 - Update libheif https://bugzilla.redhat.com/show_bug.cgi?id=2332519

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-666aaa6a0d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: libheif
Product: Fedora 40
Version: 1.19.5
Release: 3.fc40
URL: https://github.com/strukturag/libheif
Summary: HEIF and AVIF file format decoder and encoder

Topics%20covered

Topics Covered

security advisory critical issue update software update Fedora threat vulnerability image format libheif files OOB read

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here