1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1105883: libavif: CVE-2025-48175

    From Salvatore Bonaccorso@21:1/5 to All on Fri May 16 17:50:01 2025
    Source: libavif
    Version: 1.2.1-1
    Severity: grave
    Tags: security upstream
    Forwarded: https://github.com/AOMediaCodec/libavif/pull/2769
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for libavif.

    CVE-2025-48175[0]:
    | In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer
    | overflows in multiplications involving rgbRowBytes, yRowBytes,
    | uRowBytes, and vRowBytes.

    The report at [1] is not public yet at time of writing this bugreport.

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-48175
    https://www.cve.org/CVERecord?id=CVE-2025-48175
    [1] https://github.com/AOMediaCodec/libavif/security/advisories/GHSA-762c-2538-h844
    [2] https://github.com/AOMediaCodec/libavif/pull/2769


    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sat May 17 16:20:02 2025
    Processing control commands:

    tags 1105883 + patch
    Bug #1105883 [src:libavif] libavif: CVE-2025-48175
    Added tag(s) patch.
    tags 1105883 + pending
    Bug #1105883 [src:libavif] libavif: CVE-2025-48175
    Added tag(s) pending.
    tags 1105885 + patch
    Bug #1105885 [src:libavif] libavif: CVE-2025-48174
    Added tag(s) patch.
    tags 1105885 + pending
    Bug #1105885 [src:libavif] libavif: CVE-2025-48174
    Added tag(s) pending.

    --
    1105883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105883
    1105885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105885
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sat May 17 18:00:01 2025
    This is a multi-part message in MIME format...

    Your message dated Sat, 17 May 2025 15:49:05 +0000
    with message-id <E1uGJmb-00CV8x-Mr@fasolo.debian.org>
    and subject line Bug#1105883: fixed in libavif 1.2.1-1.1
    has caused the Debian Bug report #1105883,
    regarding libavif: CVE-2025-48175
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1105883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105883
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 16 May 2025 15:44:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.1 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    RDNS_NONE,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 36; hammy, 144; neutral, 38; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan, 0.000-+--H*M:reportbug Return-path: <carnil@debian.org>
    Received: from [2a0d:f302:e054:54:ffff:9a36:ead8:547c] (port=54712 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@debian.org>)
    id 1
  • From Carlos Henrique Lima Melara@21:1/5 to All on Sat May 24 05:30:01 2025
    Hi Salvatore and Boyuan,

    I saw libavif is marked in dsa-needed and Salvatore is working on it.
    I'm also working on it (started today) as part of (E)LTS work sponsored
    by Freexian and would like to offer help here.

    The upload to unstable was on 17th and there wasn't a DSA so far, so I'm assuming other stuff got in the way and/or it's not an easy backport.
    I'll work more on it tomorrow but I'd like to provide what I've
    accomplished so far in case any of you wants to start before me
    (timezone differences are hard!).

    CVE-2025-48174 was easier to fix, though the proper apparatus to handle AVIF_RESULT_INVALID_ARGUMENT was introduced later and is a big change,
    so I've decided to not backport and just exit on overflow.

    CVE-2025-48175 is a bit more tricky because the code is different. [1b4ce5ca24a] introduces the local variables to make the code easier to
    read and the CVE was identified on them. Changing some of them to size_t
    is the fix so multiplication is conduced in size_t. On bookworm, the
    variable used for calculations in also uint32_t, but it encapsulated on avifRGBImage which is a public exposed struct. So changing it can break
    the ABI and I assume is a no go for a stable update. This is the point
    where I stopped today (need to sleep now!). I was thinking about either cherry-picking [1b4ce5ca24a] or trying to cast the size_t in the
    multiplication to avoid the overflow. Will think harder about it
    tomorrow.

    Anyway, I'll send what I have now in the hope it can be helpfull to you.

    Cheers,
    Charles

    [1b4ce5ca24a]: https://github.com/AOMediaCodec/libavif/commit/1b4ce5ca24a

    diff -Nru libavif-0.11.1/debian/changelog libavif-0.11.1/debian/changelog
    --- libavif-0.11.1/debian/changelog 2022-10-25 12:39:25.000000000 -0300
    +++ libavif-0.11.1/debian/changelog 2025-05-23 23:37:21.000000000 -0300
    @@ -1,3 +1,12 @@
    +libavif (0.11.1-1+deb12u1) bookworm-security; urgency=medium
    +
    + * Non-maintainer upload by the Security Team.
    + * d/p/CVE-2025-48174.patch: backport patch to fix CVE-2025-48174.
    + (Closes: #1105885)
    + - Integer overflow resulting in buffer overflow.
    +
    + -- Carlos Henrique Lima Melara <charlesmelara@riseup.net> Fri, 23 May 2025 23:37:21 -0300
    +
    libavif (0.11.1-1) unstable; urgency=medium

    * New upstream version 0.11.1.
    diff -Nru libavif-0.11.1/debian/patches/CVE-2025-48174.patch libavif-0.11.1/debian/patches/CVE-2025-48174.patch
    --- libavif-0.11.1/debian/patches/CVE-2025-48174.patch 1969-12-31 21:00:00.000000000 -0300
    +++ libavif-0.11.1/debian/patches/CVE-2025-48174.patch 2025-05-23 23:37:21.000000000 -0300
    @@ -0,0 +1,39 @@
    +From 50a743062938a3828581d725facc9c2b92a1d109 Mon Sep 17 00:00:00 2001
    +From: DanisJiang <43
  • From Debian Bug Tracking System@21:1/5 to All on Fri May 30 22:00:02 2025
    This is a multi-part message in MIME format...

    Your message dated Fri, 30 May 2025 19:48:22 +0000
    with message-id <E1uL5iI-00B76n-Qs@fasolo.debian.org>
    and subject line Bug#1105883: fixed in libavif 0.11.1-1+deb12u1
    has caused the Debian Bug report #1105883,
    regarding libavif: CVE-2025-48175
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1105883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105883
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 16 May 2025 15:44:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-9.1 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    RDNS_NONE,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 36; hammy, 144; neutral, 38; spammy,
    1. spammytokens:0.944-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan, 0.000-+--H*M:reportbug Return-path: <carnil@debian.org>
    Received: from [2a0d:f302:e054:54:ffff:9a36:ead8:547c] (port=54712 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@debian.org>)
    id 1