Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0996: CVE-2023-0996

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

CVE
#vulnerability#js#buffer_overflow

Buffer Overflow in heif_js_decode_image in libheif v1.14.2****CVE ID

CVE-2023-0996

Description

There is a vulnerability in the strided image data parsing code in the emscripten wrapper for libheif. An attacker could exploit this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

Tested Versions

v1.14.2

Details

libheif is an ISO/IEC 23008-12:2017 HEIF and AVIF (AV1 Image File Format) file format decoder and encoder.

Timeline

  • 2022-10-21 - Vendor Disclosure
  • 2023-01-11- Vendor Patched
  • 2023-02-24 - Public Release

Credit

Discovered by Eugene Lim of GovTech Singapore.

Related news

Ubuntu Security Notice USN-6847-1

Ubuntu Security Notice 6847-1 - It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907