Vulnerability Description
libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libvips | Libvips | < 8.7.4 |
Related Weaknesses (CWE)
References
- https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/Technical DescriptionThird Party Advisory
- https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69dPatchThird Party Advisory
- https://github.com/libvips/libvips/releases/tag/v8.7.4Third Party Advisory
- https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/Technical DescriptionThird Party Advisory
- https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69dPatchThird Party Advisory
- https://github.com/libvips/libvips/releases/tag/v8.7.4Third Party Advisory
FAQ
What is CVE-2019-6976?
CVE-2019-6976 is a vulnerability with a CVSS score of 5.3 (MEDIUM). libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result...
How severe is CVE-2019-6976?
CVE-2019-6976 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-6976?
Check the references section above for vendor advisories and patch information. Affected products include: Libvips Libvips.