SB2023102369 - Ubuntu update for vips

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023102369

SB2023102369 - Ubuntu update for vips

Published: October 23, 2023

Security Bulletin ID SB2023102369
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2018-7998)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the vips_region_generate() function in region.c in the libvips library.  A remote attacker can pass specially crafted input to the library and perform a denial of service (DoS) attack.


2) Memory leak (CVE-ID: CVE-2019-6976)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due memory leak within the iofuncs/memory.c file in libvips  library due to application does not zero out allocated memory when when processing corrupted input image data. A remote attacker can pass to the application a corrupted data and leak raw process memory contents through the output image.


3) Information disclosure (CVE-ID: CVE-2020-20739)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in "im_vips2dz" in "/libvips/libvips/deprecated/im_vips2dz.c". A remote attacker can gain unauthorized access to sensitive information on the system.


4) Division by zero (CVE-ID: CVE-2021-27847)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due ti a division by zero error within the vips_eye_point() function in eye.c. A remote attacker can pass specially crafted input to the affected application and perform a denial of service (DoS) attack.


5) NULL pointer dereference (CVE-ID: CVE-2023-40032)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when parsing a malformed UTF-8 character inside an SVG files. A remote attacker can pass specially crafted SVG file to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References