Candidate: CVE-2018-7998
PublicDate: 2018-03-09 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7998
 https://github.com/jcupitt/libvips/commit/20d840e6da15c1574b3ed998bc92f91d1e36c2a5
 https://github.com/jcupitt/libvips/issues/893
Description:
 In libvips before 8.6.3, a NULL function pointer dereference vulnerability
 was found in the vips_region_generate function in region.c, which allows
 remote attackers to cause a denial of service or possibly have unspecified
 other impact via a crafted image file. This occurs because of a race
 condition involving a failed delayed load and other worker threads.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892589
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H [7.5 HIGH]


Patches_vips:
upstream_vips: released (8.4.5-2)
precise/esm_vips: DNE
trusty_vips: ignored (reached end-of-life)
trusty/esm_vips: DNE (trusty was needs-triage)
xenial_vips: ignored (end of standard support, was needed)
artful_vips: ignored (reached end-of-life)
bionic_vips: needed
cosmic_vips: ignored (reached end-of-life)
disco_vips: not-affected (8.6.3)
eoan_vips: not-affected (8.6.3)
focal_vips: not-affected (8.6.3)
groovy_vips: not-affected (8.6.3)
hirsute_vips: not-affected (8.6.3)
impish_vips: not-affected (8.6.3)
jammy_vips: not-affected (8.6.3)
devel_vips: not-affected (8.6.3)