Ubuntu 6437-1: VIPS vulnerabilities
Summary
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in VIPS. Software Description: - vips: GObject introspection data for VIPS Details: Ziqiang Gu discovered that VIPS could be made to dereference a NULL pointer. If a user or automated system were tricked into processing a specially crafted input image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-7998) It was discovered that VIPS did not properly handle uninitialized memory locations when processing corrupted input image data. An attacker could possibly use this issue to generate output images that expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-6976) It was discovered that VIPS did not properly manage memory due to an uninitialized variable. If a user or automated system were tricked into processing a specially crafted output file, an attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-20739) It was discovered that VIPS could be made to divide by zero in multiple funcions. If a user or automated system were tricked into processing a specially crafted image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-27847) It was discovered that VIPS did not properly handle certain input files that contained malformed UTF-8 characters. If a user or automated system were tricked into processing a specially crafted SVG image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-40032)
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS (Available with Ubuntu Pro): gir1.2-vips-8.0 8.12.1-1ubuntu0.1~esm1 libvips-tools 8.12.1-1ubuntu0.1~esm1 libvips42 8.12.1-1ubuntu0.1~esm1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): gir1.2-vips-8.0 8.4.5-1ubuntu0.1~esm1 libvips-tools 8.4.5-1ubuntu0.1~esm1 libvips42 8.4.5-1ubuntu0.1~esm1 python-vipscc 8.4.5-1ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): gir1.2-vips-8.0 8.2.2-1ubuntu0.1~esm1 libvips-tools 8.2.2-1ubuntu0.1~esm1 libvips42 8.2.2-1ubuntu0.1~esm1 python-vipscc 8.2.2-1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-6437-1
CVE-2018-7998, CVE-2019-6976, CVE-2020-20739, CVE-2021-27847,
CVE-2023-40032
Package Information