Bug 1220976 (CVE-2024-25269) - VUL-0: CVE-2024-25269: libheif: libheif <= 1.17.6 contains a memory leak in the function JpegEncoder:Encode. This flaw allows an attacker to cause a denial of service attack.
Summary: VUL-0: CVE-2024-25269: libheif: libheif <= 1.17.6 contains a memory leak in t...
Status: RESOLVED INVALID
Alias: CVE-2024-25269
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/396281/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-25269:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-05 14:12 UTC by SMASH SMASH
Modified: 2024-04-08 07:24 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-05 14:12:06 UTC 
libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25269
https://www.cve.org/CVERecord?id=CVE-2024-25269
https://github.com/strukturag/libheif/issues/1073
Comment 2 Petr Gajdos 2024-03-05 15:47:33 UTC 
Hello Stoyan,

the patch intervene examples/encoder_jpeg.cc only, thus I do not think we are affected. If I understand correctly, examples are not built at all (just in case debug has to be done and x265 is turned on). Even if examples are would be enabled, only few of them are taken and encoder_jpeg is not between them.

Do you agree?
Comment 3 Petr Gajdos 2024-03-06 19:32:01 UTC 
Dare to close as invalid.