UbuntuUpdates.org

Package "libheif"

Name: libheif

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HEIF and AVIF file format decoder and encoder - gdk-pixbuf loader
  • HEIF and AVIF file format decoder and encoder - thumbnailer
  • HEIF and AVIF file format decoder and encoder - examples
  • HEIF and AVIF file format decoder and encoder - aomdec plugin
Latest version: 1.20.2-1ubuntu0.4
Release: questing (25.10)
Level: updates
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "libheif" in Questing

Repository Area Version
base main 1.20.2-1
base universe 1.20.2-1
security main 1.20.2-1ubuntu0.1
security universe 1.20.2-1ubuntu0.4
updates universe 1.20.2-1ubuntu0.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.20.2-1ubuntu0.4 2026-06-18 19:07:32 UTC

  libheif (1.20.2-1ubuntu0.4) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of service in Chuck construtor
    - debian/patches/CVE-2026-32738.patch: Check that 'stsc' box does not
      have zero samples per chunk in libheif/sequences/seq_boxes.cc
    - CVE-2026-32738
  * SECURITY UPDATE: Infinite loop for sequences with variable frame-rate.
    - debian/patches/CVE-2026-32739.patch: Fix infinite loop for sequences
      with variable frame-rate in libheif/api/libheif/heif_uncompressed.h
      and libheif/sequences/seq_boxes.cc
    - CVE-2026-32739
  * SECURITY UPDATE: Heap overflow in grid tile compositing.
    - debian/patches/CVE-2026-32740.patch: Fix computation of tile memory
      area for 4:2:0 chroma and odd tile sizes in libheif/pixelimage.cc
    - CVE-2026-32740
  * SECURITY UPDATE: Buffer overflow when reading mask image.
    - debian/patches/CVE-2026-32741.patch: Fix possible buffer overflow when
      reading mask image in libheif/image-items/mask_image.cc
    - CVE-2026-32741
  * SECURITY UPDATE: Information leak in decode.
    - debian/patches/CVE-2026-32814.patch: Initialize allocated memory to
      avoid information leak in
      libheif/image-items/grid.cc and libheif/pixelimage.cc
    - CVE-2026-32814
  * SECURITY UPDATE: Heap overflow in HeifPixelImage.
    - debian/patches/CVE-2026-32882.patch: Fix overlay image with alpha
      channels with stride different from color channel in
      libheif/pixelimage.cc
    - CVE-2026-32882
  * SECURITY UPDATE: Out-of-bounds read in Track::load.
    - debian/patches/CVE-2026-3950.patch: Validate stsc sample coverage
      against stsz/stts in libheif/sequences/track.cc and
      libheif/sequences/seq_boxes.h
    - CVE-2026-3950
  * SECURITY UPDATE: Out-of-bounds read in decoder.
    - debian/patches/CVE-2026-41069.patch: Reject malformed sequence
      files with saiz samples but no chunks in libheif/sequences/track.cc
    - CVE-2026-41069
  * SECURITY UPDATE: Out-of-bounds read in SampleAuxInfoReader
    - debian/patches/CVE-2026-41071.patch: Reject malformed sequence
      files where saiz sample count exceeds actual samples in
      libheif/sequences/track.cc
    - CVE-2026-41071

 -- Kyle Kernick <email address hidden> Tue, 16 Jun 2026 17:02:03 -0600
Source diff to previous version
CVE-2026-32738 libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chun
CVE-2026-32739 libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite lo
CVE-2026-32740 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the gri
CVE-2026-32741 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_i
CVE-2026-32814 libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false
CVE-2026-32882 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in
CVE-2026-3950 A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of th
CVE-2026-41069 libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds
CVE-2026-41071 libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares mo

Version: 1.20.2-1ubuntu0.3 2026-04-15 23:08:25 UTC

  libheif (1.20.2-1ubuntu0.3) questing; urgency=medium

  * d/control: Fix syntax error the libheif-plugin-libde265 Suggests
    dependency.
Source diff to previous version

Version: 1.20.2-1ubuntu0.1 2026-01-12 03:29:29 UTC

  libheif (1.20.2-1ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Buffer Overflow
    - debian/patches/CVE-2025-68431.patch: Fix wrong copy width in
      overlay images, thanks to Aldo Ristori
    - CVE-2025-68431

 -- Bruce Cable <email address hidden> Wed, 07 Jan 2026 17:39:50 +1100
CVE-2025-68431 libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path trigg


About   -   Send Feedback to @ubuntu_updates