Vulnerability Description
libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | Fedora | 39 |
| Libvips | Libvips | >= 8.12.0, < 8.14.4 |
Related Weaknesses (CWE)
References
- https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb158Patch
- https://github.com/libvips/libvips/pull/3604Patch
- https://github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584MitigationPatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
- https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb158Patch
- https://github.com/libvips/libvips/pull/3604Patch
- https://github.com/libvips/libvips/security/advisories/GHSA-33qp-9pq7-9584MitigationPatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
FAQ
What is CVE-2023-40032?
CVE-2023-40032 is a vulnerability with a CVSS score of 5.5 (MEDIUM). libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed ...
How severe is CVE-2023-40032?
CVE-2023-40032 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40032?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Libvips Libvips.