CVE-2019-17534

Name

CVE-2019-17534

Description

vips_foreign_load_gif_scan_image in foreign/gifload.c in libvips before 8.8.2 tries to access a color map before a DGifGetImageDesc call, leading to a use-after-free.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
Exploit	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16796
Patch	https://github.com/libvips/libvips/commit/ce684dd008532ea0bf9d4a1d89bacb35f4a83f4d
Patch	https://github.com/libvips/libvips/compare/v8.8.1...v8.8.2

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:libvips_project:libvips::::::::`	libvips	>= None	< 8.8.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
vips	edge-community	8.8.2-r0	None	fixed
vips	3.22-community	8.8.2-r0	None	fixed
vips	3.21-community	8.8.2-r0	None	fixed
vips	3.20-community	8.8.2-r0	None	fixed
vips	3.19-community	8.8.2-r0	None	fixed
vips	3.18-community	8.8.2-r0	None	fixed
vips	3.17-community	8.8.2-r0	None	fixed