CVE-2019-6976Use of Uninitialized Resource in Libvips

CWE-908Use of Uninitialized Resource6 documents5 sources
Severity
5.3MEDIUMNVD
OSV7.5
EPSS
0.3%
top 49.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LibvipsDebian Vips
Timeline
PublishedJan 26
Latest updateOct 18

Description

libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDlibvips/libvips< 8.7.4
debiandebian/vips< vips 8.7.4-1 (bookworm)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
vips vulnerabilities2023-10-18
GHSA
GHSA-589q-f3gp-p53f: libvips before 82022-05-13
OSV
CVE-2019-6976: libvips before 82019-01-26

📋Vendor Advisories

2
Ubuntu
VIPS vulnerabilities2023-10-18
Debian
CVE-2019-6976: vips - libvips before 8.7.4 generates output images from uninitialized memory locations...2019
CVE-2019-6976 — Use of Uninitialized Resource | cvebase