CVE-2024-41311

NameCVE-2024-41311
DescriptionIn Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3934-1, DSA-5796-1, ELA-1211-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libheif (PTS)buster, buster (lts)1.3.2-2+deb10u3fixed
bullseye1.11.0-1vulnerable
bullseye (security)1.11.0-1+deb11u2fixed
bookworm (security), bookworm1.15.1-1+deb12u1fixed
sid, trixie1.19.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libheifsourcebuster1.3.2-2+deb10u2ELA-1211-1
libheifsourcebullseye1.11.0-1+deb11u1DLA-3934-1
libheifsourcebookworm1.15.1-1+deb12u1DSA-5796-1
libheifsource(unstable)1.18.1-1

Notes

https://github.com/strukturag/libheif/issues/1226
https://github.com/strukturag/libheif/pull/1227
https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36 (v1.18.0)

Search for package or bug name: Reporting problems