Libvips 8.19.0 Allows Local Code Execution Through Heap Overflow

Summary

A vulnerability in Libvips allows an attacker with local access to potentially execute malicious code on a vulnerable system. This is a serious issue because it could allow unauthorized changes to the system. To fix this, update to the latest version of Libvips, specifically applying the patch fd28c5463697712cb0ab116a2c55e4f4d92c4088.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
libvips	libvips	8.19.0	–

Original title

A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in h...

Original description

A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit is now public and may be used. The patch is named fd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install a patch to address this issue.

nvd CVSS2.0 4.3

nvd CVSS3.1 7.8

nvd CVSS4.0 4.8

Vulnerability type

CWE-119 Buffer Overflow

CWE-122 Heap-based Buffer Overflow

https://github.com/libvips/libvips/ Product
https://github.com/libvips/libvips/commit/fd28c5463697712cb0ab116a2c55e4f4d92c40... Patch
https://github.com/libvips/libvips/issues/4878 Exploit Issue Tracking Vendor Advisory
https://github.com/libvips/libvips/issues/4878#issue-3944209102 Exploit Issue Tracking Vendor Advisory
https://github.com/libvips/libvips/pull/4895 Issue Tracking Patch
https://vuldb.com/?ctiid.348010 Permissions Required VDB Entry
https://vuldb.com/?id.348010 Third Party Advisory VDB Entry
https://vuldb.com/?submit.758861 Third Party Advisory VDB Entry