ClickCease Several libheif Vulnerabilities Fixed in Ubuntu

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Several libheif Vulnerabilities Fixed in Ubuntu

by Rohan Timalsina

July 9, 2024 - TuxCare expert team

libheif is a library that allows you to work with HEIF (High Efficiency Image File Format) and AVIF (AV1 Image File Format) images. Recently, Canonical released Ubuntu security updates to address multiple vulnerabilities in libheif. Security updates are available for various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 ESM.

 

libheif Vulnerabilities Affecting Ubuntu

 

These vulnerabilities could be exploited by attacks through specially crafted files.

 

CVE-2019-11471

libheif incorrectly handled certain image data, which could allow an attacker to crash the program, resulting in a denial of service. This vulnerability only affected Ubuntu 18.04.

 

CVE-2020-23109

The improper handling of certain image data by libheif could lead to a denial of service. This vulnerability only affected Ubuntu 20.04 LTS.

 

CVE-2023-0996

Similar to the above vulnerability, this flaw relates to the improper handling of certain image data by libheif. It could also allow an attacker to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04.

 

CVE-2023-29659

This vulnerability, like the other, involves incorrect handling of image data, potentially leading to a program crash and denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

 

CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49463

Multiple vulnerabilities were found related to how libheif handled certain image data, which could be exploited to crash the program and result in a denial of service. These issues only affected Ubuntu 23.10.

 

How to Stay Secure

 

To address these vulnerabilities, it is essential to upgrade the libheif package to the latest versions available for your Ubuntu release. Upgrading the libheif package is straightforward using the apt package manager tool.

You can run the following commands to upgrade libheif.

$ sudo apt update

$ sudo apt --only-upgrade install libheif1

 

If you’re running Ubuntu 18.04, you should be aware that it has already reached its end-of-life in April 2023. This means the operating system no longer receives critical security updates through the standard software repositories. These updates are essential to protect your system from newly discovered vulnerabilities.

To ensure your system remains secure, you have two main choices.

Upgrading to a newer Long-Term Support (LTS) version of Ubuntu is the recommended path. LTS versions receive security updates for a longer duration, typically five years. This option provides a fresh and secure foundation for your system along with access to the latest software features.

Alternatively, you can opt for extended support. This allows you to keep using Ubuntu 18.04 but comes with a paid subscription. TuxCare’s Extended Lifecycle Support for Ubuntu 18.04 offers vendor-grade security patches for up to five years after the end of life date. This means you can secure your end of life Ubuntu systems till April 2028 as it received the end of life status in April 2023. TuxCare’s ELS provides updates for the Linux kernel, common shared libraries like openssl, glib, and various other packages like python, php, mysql, zlib, and more.

 

Conclusion

 

By following these steps, you can ensure that your system is protected against the vulnerabilities discovered in libheif. Regularly updating your software packages is a critical practice in maintaining the security and stability of your systems.

Learn how TuxCare creates Extended Lifecycle Support (ELS) patches on this video.

 

Source: USN-6847-1

Summary
Several libheif Vulnerabilities Fixed in Ubuntu
Article Name
Several libheif Vulnerabilities Fixed in Ubuntu
Description
Learn about the recent libheif vulnerabilities and how to address them. Stay updated with the latest security updates for Ubuntu releases.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!