CVE-2018-7998

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-7998
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-7998.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-7998
Downstream
Published
2018-03-09T19:29:01.070Z
Modified
2026-02-23T08:14:37.404437Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In libvips before 8.6.3, a NULL function pointer dereference vulnerability was found in the vipsregiongenerate function in region.c, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image file. This occurs because of a race condition involving a failed delayed load and other worker threads.

References

Affected packages

Git / github.com/libvips/libvips

Affected ranges

Type
GIT
Repo
https://github.com/libvips/libvips
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
29e05dabaf0772bac57bad63b2e09ce1c9298c4b

Affected versions

v7.*
v7.28.0
v7.30.0
v8.*
v8.0-beta
v8.1
v8.2.2
v8.2.3
v8.3.0
v8.4.2
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.5.9
v8.6.0
v8.6.0-alpha1
v8.6.0-alpha2
v8.6.0-alpha3
v8.6.0-alpha4
v8.6.0-alpha5
v8.6.0-beta1
v8.6.0-beta2
v8.6.1
v8.6.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-7998.json"
vanir_signatures 
[
    {
        "id": "CVE-2018-7998-51caee8d",
        "signature_version": "v1",
        "target": {
            "file": "libvips/colour/icc_transform.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "74971341457739111062111131691742175785",
                "44772031049909002966425481476098777198",
                "102701039234728829292451413723282066390",
                "145609127429089827125319393627334277342",
                "178398260312620861944776409928790400255",
                "328738077399853880013936568294173244734",
                "259987416250558282849050694309490209494",
                "233140730868419980135888439614774466878",
                "54581753103257050674532694059278708035",
                "47813536290551216746321807822127493885",
                "325053430058307081669778602120269925429",
                "95521321950089192257447280734394407591",
                "100603343823782997565240292078322801838",
                "337152236042029709084901898249719314304",
                "168170405060649004115573762720131899176",
                "270610453301636106727844918001982753000",
                "267164239819226960294607640470899918859"
            ]
        },
        "signature_type": "Line",
        "source": "https://github.com/libvips/libvips/commit/29e05dabaf0772bac57bad63b2e09ce1c9298c4b",
        "deprecated": false
    },
    {
        "id": "CVE-2018-7998-c1855c16",
        "signature_version": "v1",
        "target": {
            "file": "libvips/colour/icc_transform.c",
            "function": "vips_icc_import_build"
        },
        "digest": {
            "function_hash": "133729574824333541002856427186533978344",
            "length": 977.0
        },
        "signature_type": "Function",
        "source": "https://github.com/libvips/libvips/commit/29e05dabaf0772bac57bad63b2e09ce1c9298c4b",
        "deprecated": false
    }
]