Several libheif Vulnerabilities Fixed in Ubuntu
libheif is a library that allows you to work with HEIF (High Efficiency Image File Format) and AVIF (AV1 Image File Format) images. Recently, Canonical released Ubuntu security updates to address multiple vulnerabilities in libheif. Security updates are available for various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 ESM.
libheif Vulnerabilities Affecting Ubuntu
These vulnerabilities could be exploited by attacks through specially crafted files.
CVE-2019-11471
libheif incorrectly handled certain image data, which could allow an attacker to crash the program, resulting in a denial of service. This vulnerability only affected Ubuntu 18.04.
CVE-2020-23109
The improper handling of certain image data by libheif could lead to a denial of service. This vulnerability only affected Ubuntu 20.04 LTS.
CVE-2023-0996
Similar to the above vulnerability, this flaw relates to the improper handling of certain image data by libheif. It could also allow an attacker to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04.
CVE-2023-29659
This vulnerability, like the other, involves incorrect handling of image data, potentially leading to a program crash and denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49463
Multiple vulnerabilities were found related to how libheif handled certain image data, which could be exploited to crash the program and result in a denial of service. These issues only affected Ubuntu 23.10.
How to Stay Secure
To address these vulnerabilities, it is essential to upgrade the libheif package to the latest versions available for your Ubuntu release. Upgrading the libheif package is straightforward using the apt package manager tool.
You can run the following commands to upgrade libheif.
$ sudo apt update
$ sudo apt --only-upgrade install libheif1
If you’re running Ubuntu 18.04, you should be aware that it has already reached its end-of-life in April 2023. This means the operating system no longer receives critical security updates through the standard software repositories. These updates are essential to protect your system from newly discovered vulnerabilities.
To ensure your system remains secure, you have two main choices.
Upgrading to a newer Long-Term Support (LTS) version of Ubuntu is the recommended path. LTS versions receive security updates for a longer duration, typically five years. This option provides a fresh and secure foundation for your system along with access to the latest software features.
Alternatively, you can opt for extended support. This allows you to keep using Ubuntu 18.04 but comes with a paid subscription. TuxCare’s Extended Lifecycle Support for Ubuntu 18.04 offers vendor-grade security patches for up to five years after the end of life date. This means you can secure your end of life Ubuntu systems till April 2028 as it received the end of life status in April 2023. TuxCare’s ELS provides updates for the Linux kernel, common shared libraries like openssl, glib, and various other packages like python, php, mysql, zlib, and more.
Conclusion
By following these steps, you can ensure that your system is protected against the vulnerabilities discovered in libheif. Regularly updating your software packages is a critical practice in maintaining the security and stability of your systems.
Learn how TuxCare creates Extended Lifecycle Support (ELS) patches on this video.
Source: USN-6847-1