Libvips 8.19.0 Allows Local Attackers to Read Sensitive Data

Summary

A security flaw in Libvips 8.19.0 makes it possible for someone with local access to read sensitive data. This is a concern because it could potentially be exploited by an attacker. To protect yourself, apply the available patch.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
libvips	libvips	8.19.0	–

Original title

A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band lea...

Original description

A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.

nvd CVSS2.0 1.7

nvd CVSS3.1 7.1

nvd CVSS4.0 1.9

Vulnerability type

CWE-119 Buffer Overflow

CWE-125 Out-of-bounds Read

https://github.com/libvips/libvips/ Product
https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe... Patch
https://github.com/libvips/libvips/issues/4880 Exploit Issue Tracking Vendor Advisory
https://github.com/libvips/libvips/issues/4880#issue-3944214985 Exploit Issue Tracking Vendor Advisory
https://github.com/libvips/libvips/pull/4887 Issue Tracking Patch
https://vuldb.com/?ctiid.348012 Permissions Required VDB Entry
https://vuldb.com/?id.348012 Third Party Advisory VDB Entry
https://vuldb.com/?submit.758863 Third Party Advisory VDB Entry