#VU21748 Memory leak in libvips - CVE-2019-6976

Cybersecurity Help s.r.o.

Published: 2019-10-13

Vulnerability identifier: #VU21748

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6976

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libvips
Universal components / Libraries / Libraries used by multiple products

Vendor: libvips

Description
The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due memory leak within the iofuncs/memory.c file in libvips library due to application does not zero out allocated memory when when processing corrupted input image data. A remote attacker can pass to the application a corrupted data and leak raw process memory contents through the output image.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libvips: 8.7.0 - 8.7.3

External links
https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/
https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a
https://github.com/libvips/libvips/releases/tag/v8.7.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for vips

Information disclosure in libvips