[Bug 1827442] Re: [MIR] libheif

[Balint Reczey]

** Changed in: imagemagick (Ubuntu)
       Status: Invalid => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1827442

Title:
  [MIR] libheif

Status in imagemagick package in Ubuntu:
  Fix Released
Status in libde265 package in Ubuntu:
  New
Status in libheif package in Ubuntu:
  New
Status in x265 package in Ubuntu:
  New

Bug description:
  [Availability]
  Available on all architectures in universe from bionic forward.

  [Rationale]
  This is a new build-dependency added to imagemagick in Debian unstable.  It implements support for decoding ISO/IEC 23008-12:2017 HEIF files, which are not otherwise supported by any libraries in Ubuntu main.

  [Security]
  One vulnerability was reported this year against libheif 1.4.0 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471).  Debian currently has libheif 1.3.2.  According to the upstream issue at https://github.com/strukturag/libheif/issues/123 the vulnerability was first introduced in an unreleased, git-only version of libheif (post-1.4.0), and found and fixed by the upstream community prior to finding its way into a tagged release.  It is not clear to me that the vulnerability in question applies to 1.3.2.

  This is a media file parser, so is security-sensitive because it will
  be processing complex untrusted input.

  [Quality assurance]
  Packaging is lintian-clean using modern dh(1) patterns and shows no problematic bug history in Debian or Ubuntu.

  Package runs make check at build time (debhelper), but has no build-
  time tests or autopkgtests available.

  [Dependencies]
  Also depends on x265 and libde265 which are in universe.

  [Maintenance]
  Package would be maintained by Ubuntu Foundations Team.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1827442/+subscriptions