Your message dated Mon, 19 Jan 2026 17:05:17 +0000
with message-id <[email protected]>
and subject line Bug#1124317: fixed in libheif 1.21.2-1
has caused the Debian Bug report #1124317,
regarding libheif: CVE-2025-68431
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libheif
Version: 1.20.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libheif.
CVE-2025-68431[0]:
| libheif is an HEIF and AVIF file format decoder and encoder. Prior
| to version 1.21.0, a crafted HEIF that exercises the overlay image
| item path triggers a heap buffer over-read in
| `HeifPixelImage::overlay()`. The function computes a negative row
| length (likely from an unclipped overlay rectangle or invalid
| offsets), which then underflows when converted to `size_t` and is
| passed to `memcpy`, causing a very large read past the end of the
| source plane and a crash. Version 1.21.0 contains a patch. As a
| workaround, avoid decoding images using `iovl` overlay boxes.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68431
https://www.cve.org/CVERecord?id=CVE-2025-68431
[1]
https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq
[2]
https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libheif
Source-Version: 1.21.2-1
Done: Joachim Bauch <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libheif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Bauch <[email protected]> (supplier of updated libheif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Jan 2026 16:27:41 +0100
Source: libheif
Architecture: source
Version: 1.21.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Joachim Bauch <[email protected]>
Closes: 1124317
Changes:
libheif (1.21.2-1) unstable; urgency=medium
.
* New upstream version 1.21.2
- Fixes CVE-2025-68431 (Closes: #1124317).
* Remove patches applied upstream.
* Update symbols for new upstream version.
* d/control: Update build dependencies for cmake AOM detection.
* d/control: Update Standards-Version to 4.7.3 and remove optional priority.
Checksums-Sha1:
0afc83dfb12e8b8e80e9b7e99c3011146b65173e 3713 libheif_1.21.2-1.dsc
2248e6a7477e5121d9ff3016aef4ab848f2c39d5 1859435 libheif_1.21.2.orig.tar.gz
424e93e348d8afc7945ce4eb4e83a857c43fd6a4 13144 libheif_1.21.2-1.debian.tar.xz
799d4b040b4feab699882d59b9ac4df4dea9b53d 17624
libheif_1.21.2-1_source.buildinfo
Checksums-Sha256:
2385db1db279f3c51ac12f7774cc86e52e8026e864ae95a56af1e7710c370246 3713
libheif_1.21.2-1.dsc
75f530b7154bc93e7ecf846edfc0416bf5f490612de8c45983c36385aa742b42 1859435
libheif_1.21.2.orig.tar.gz
7836bde69e3a4f6c82d07396fd065330772a82c2d3d701c6755472f1d4c64f20 13144
libheif_1.21.2-1.debian.tar.xz
130372c3e97cd107e568cff045f565a592f559f8c33b9da56f412569da881e00 17624
libheif_1.21.2-1_source.buildinfo
Files:
3bc1f7d40bafbd80564c6fce5e592504 3713 libs - libheif_1.21.2-1.dsc
bee744908edb9d5957cb37fb0b1c6e8f 1859435 libs - libheif_1.21.2.orig.tar.gz
cd1eec8c3785ad45531c7014e2ba4566 13144 libs - libheif_1.21.2-1.debian.tar.xz
27a9b1cfc6d0aec47fa1524346e68e2e 17624 libs - libheif_1.21.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEvj2K8Ga27IB5Zn/Xd8HSLVPhXwIFAmluThMVHGZhbmN5Y29k
ZUBkZWJpYW4ub3JnAAoJEHfB0i1T4V8CS0AP/2+idqsjcRwlnrzAgwXIBG0TfCO8
UFcx7NulCpBrjS+F4H3o0YQ8K73/nRQykOhfKp9kJLcXBMHa9ld8Y7wJfxWHnRBo
7CMJbjjvBOAsEHENsiDpbhjHCv/yD6AE00p91x8VsOtsmNfycjXVnFVyQ0gcs82G
WKs+K+95STRTNxaGq2lG9RpAOaZspsP+qw0AkSBKH/DqN7J9rcf8SU93gsxuMR00
kt0DgnnT1YpXIXDQt4JIJk1BvBaPLu1ryddI4jB3fCREEMw4u2BY5f56J2NDTxqm
Ax1yvSU6ymDHFfOc1HlqWLeMCay1XBSYKUjq0AZYHCrUO+o8E3XEBSuQ14TEMEfT
efPbr/XPTSxPFxNidUMZ/aPcxXEWAiiIGpA5Mpjj3tpD8RPMeAxZvvh1zQLJam0f
GsoE9eIdzrEHToxiBBY+utJJtMkNvn8AjYd/OAW2FpCmpu5s+3CwGL+7CTNrCDDg
LNzkYey7wwWoJbP9FlfIL8ouridAOZcOseiMWJKf1aFlNao2MOyaCPFBmd5LDLRt
eToMZadxqi1dUG+u4/ox/eW+Z/c7BFnUMz+iI2Fc4m6Xl6vn8s1CNIjeyxASv4VU
QxMVjSRvJmBZaP3uXKxuFaIj90R5XFTRIBJoIfr6hgq9zNhuK2suDYi7RHSmrunF
2nQzcOKbwz8CiYXL
=l3LJ
-----END PGP SIGNATURE-----
pgp8owCW5O7KU.pgp
Description: PGP signature
--- End Message ---
