Main Vulnerability Database Vulnerabilities #VU21748

#VU21748 Memory leak in libvips - CVE-2019-6976

Published: October 13, 2019

Vulnerability identifier: #VU21748

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-6976

CWE-ID: CWE-401

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
libvips

Software vendor:
libvips

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due memory leak within the iofuncs/memory.c file in libvips library due to application does not zero out allocated memory when when processing corrupted input image data. A remote attacker can pass to the application a corrupted data and leak raw process memory contents through the output image.

Remediation

Install updates from vendor's website.

External links

https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/
https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a
https://github.com/libvips/libvips/releases/tag/v8.7.4

#VU21748 Memory leak in libvips - CVE-2019-6976

Description

Remediation

External links

Please verify you're human