Vulnerabilities > CVE-2019-6976 - Use of Uninitialized Resource vulnerability in Libvips
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/
- https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a
- https://github.com/libvips/libvips/releases/tag/v8.7.4
- https://blog.silentsignal.eu/2019/04/18/drop-by-drop-bleeding-through-libvips/
- https://github.com/libvips/libvips/releases/tag/v8.7.4
- https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a