Bug 1220976 (CVE-2024-25269)

Summary: VUL-0: CVE-2024-25269: libheif: libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:Encode. This flaw allows an attacker to cause a denial of service attack.
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gianluca.gabrielli, pgajdos, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396281/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-25269:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-05 14:12:06 UTC 
libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25269
https://www.cve.org/CVERecord?id=CVE-2024-25269
https://github.com/strukturag/libheif/issues/1073
Comment 2 Petr Gajdos 2024-03-05 15:47:33 UTC 
Hello Stoyan,

the patch intervene examples/encoder_jpeg.cc only, thus I do not think we are affected. If I understand correctly, examples are not built at all (just in case debug has to be done and x265 is turned on). Even if examples are would be enabled, only few of them are taken and encoder_jpeg is not between them.

Do you agree?
Comment 3 Petr Gajdos 2024-03-06 19:32:01 UTC 
Dare to close as invalid.