Your message dated Wed, 01 Jul 2026 08:35:08 +0000
with message-id <[email protected]>
and subject line Bug#1140479: fixed in libheif 1.23.1-1
has caused the Debian Bug report #1140479,
regarding libheif: CVE-2026-49271
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140479
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libheif
Version: 1.21.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libheif.

CVE-2026-49271[0]:
| libheif is a HEIF and AVIF file format decoder and encoder. Prior to
| version 1.22.1, the uncompressed HEIF decoder validates explicit
| icef compressed-unit offsets using unit_offset + unit_size. Because
| the addition can wrap, a crafted HEIF file can pass the range check
| and then construct a vector from iterators outside the compressed
| item buffer, producing an out-of-bounds heap read and crash. Version
| 1.22.1 patches the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49271
    https://www.cve.org/CVERecord?id=CVE-2026-49271
[1] 
https://github.com/strukturag/libheif/security/advisories/GHSA-r7qj-cg5r-r6vf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libheif
Source-Version: 1.23.1-1
Done: Joachim Bauch <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libheif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Bauch <[email protected]> (supplier of updated libheif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Jul 2026 10:14:01 +0200
Source: libheif
Built-For-Profiles: noudeb
Architecture: source
Version: 1.23.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Joachim Bauch <[email protected]>
Closes: 1130640 1137524 1140223 1140479
Changes:
 libheif (1.23.1-1) unstable; urgency=medium
 .
   * New upstream version 1.23.1
   * Fixes CVE-2026-54240, CVE-2026-54241
   * Unpackaged upstream version 1.23.0 fixes the following CVEs:
     CVE-2026-50142
   * Unpackaged upstream version 1.22.1 fixes the following CVEs:
     CVE-2026-49271 (Closes: #1140479)
   * Unpackaged upstream version 1.22.0 fixes the following CVEs:
     CVE-2026-3950 (Closes: #1130640), CVE-2026-32738, CVE-2026-32739,
     CVE-2026-32740, CVE-2026-32741, CVE-2026-32814, CVE-2026-32882,
     CVE-2026-41069, CVE-2026-41071 (Closes: #1137524),
     CVE-2026-47178 (Closes: #1140223), CVE-2026-47247, CVE-2026-47251,
     CVE-2026-47254, CVE-2026-47709, CVE-2026-47714, CVE-2026-48029
   * d/control: Bump "Standards-Version" to 4.7.4
   * Update symbols for new upstream version.
   * d/control: Build-depend on libtiff-dev for TIFF support in examples.
   * d/control: Build-depend on libwebp-dev for WebP support in examples.
   * Remove patches no longer necessary.
Checksums-Sha1:
 2c7050677d43ec262b3ed3939bf916343a0f78b7 3844 libheif_1.23.1-1.dsc
 024ebe0237ce6763ee9cb6914c8b5758fea4e5a7 2071186 libheif_1.23.1.orig.tar.gz
 2e90b56a9da321c2aa71fe95e3ad9c28ee114fd9 14164 libheif_1.23.1-1.debian.tar.xz
 10c5f81bc05d3070b8f5bc4e2c9d99715354030d 16073 
libheif_1.23.1-1_source.buildinfo
Checksums-Sha256:
 a9c2ea49af68fb13ac57b167cef3325c655fbe66a6f6eba16c1acb6c262d1b25 3844 
libheif_1.23.1-1.dsc
 0de0327f60fcd47de90d5654c6fe152232738d60d84fe084ec3e0f35e03b166a 2071186 
libheif_1.23.1.orig.tar.gz
 e237289f23bc6607681843de81e9c19429ea5f1ca0f87b880658d08065179181 14164 
libheif_1.23.1-1.debian.tar.xz
 43757593befd4990c5cf23938c8ad095d39cd7a82aba66ce77df99d8e98602f5 16073 
libheif_1.23.1-1_source.buildinfo
Files:
 c2465f811363b299423e0dbbc54f4329 3844 libs - libheif_1.23.1-1.dsc
 26fd31d0591ab927ef1a638de64cb2da 2071186 libs - libheif_1.23.1.orig.tar.gz
 227331af19ee6fe6a3693f9b0576f227 14164 libs - libheif_1.23.1-1.debian.tar.xz
 826d582d71db5905c7479b6be462e3f2 16073 libs - libheif_1.23.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEvj2K8Ga27IB5Zn/Xd8HSLVPhXwIFAmpEzGoACgkQd8HSLVPh
XwIoog//a96rtPwvHFvO2nAflCAKtD/YqrWohVnRQuNRnGN3lPRJNARpNrHvybw3
yOWOGhd8bse9H3Za9CoE7eh+0pCDoJRkvS6xvSgGRhRmawynavAudqpYkpepMXK4
Nraslqre/9HIgWZqaISpEH1gcid4v9xuTx153CWANn/TVV3NvT+4GqXIMyOWWGUZ
ZKCt3E3SMn14f2G99ySIXRLco+JyIWpQbjWm1r5hUlGrOY89RFmGSf2RjCvCl9Nw
XFtH2pxp0ieRmG2oF4FfePyDzJ79zqd11vAlk4NgAGtz2rwb+k65rkcZVRKbKWnt
c8avKwZFhAJ7+khORb38d1awkTW8ACbCCBQ1Vehlh1Jh37Yzw4kemPqTvaMxzO2+
KRwhdlRuNsG5/g1HyHXUR5p9rcjP36D4DWI9I/t9RmAvVKCp5yLXXHFUfyaDL5Wy
o9VFoWzu10cRBxP6N4i9LTgkEd9u5SeKZn/bnLZN0T65xDpjokbC/Ub99V5O0qqv
3zf8273ycYCHad0bZKqp1FCZLB1jG/sPEksfJ6rF0B5lCMDUR1uInmjJzfRDh3GU
bXkW4Jmft4IPzqwf3O8TwG1cm/XStSRobz5FGUAq3dkGhsR5SaWLnYz8fEWuqgIq
QMpSgAnjsqkWDKHG5qY48i2aKPnxJF7VjW+LAYvx3nF8dSSp/OU=
=0t56
-----END PGP SIGNATURE-----

Attachment: pgpkEYVibnXns.pgp
Description: PGP signature


--- End Message ---

Reply via email to