security update

libheif-1.20.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:68ac9084243004e0ef3633f184eeae85d615fe7e4444373a0a21cebccae9d12a
-size 1787518

libheif-CVE-2025-68431.patch

@@ -0,0 +1,23 @@
+From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 11 Nov 2025 19:47:50 +0100
+Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
+ Ristori for reporting this)
+
+---
+ libheif/pixelimage.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libheif-1.19.7/libheif/pixelimage.cc
+===================================================================
+--- libheif-1.19.7.orig/libheif/pixelimage.cc
++++ libheif-1.19.7/libheif/pixelimage.cc
+@@ -1295,7 +1295,7 @@ Error HeifPixelImage::overlay(std::share
+       if (!has_alpha) {
+         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
+                in_p + in_x0 + y * in_stride,
+-               in_w - in_x0);
++               in_w);
+       }
+       else {
+         for (uint32_t x = in_x0; x < in_w; x++) {

libheif.changes

@@ -1,78 +1,10 @@
 -------------------------------------------------------------------
-Thu Sep 11 12:34:56 UTC 2025 - olaf@aepfle.de
+Tue Jan  6 10:11:07 UTC 2026 - Petr Gajdos <pgajdos@suse.com>
 
-- version 1.20 requires at least ffmpeg 4, so go with version 7+
-
--------------------------------------------------------------------
-Fri Aug  8 00:55:54 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
-
-- update to 1.20.2:
-  - When opening tiled images, do not check against maximum image
-    size immediately to allow for tile-based decoding of very large
-    images.
-  - Several smaller fixes in writing image sequences
-  - CMake option to disable building of heif-view, which pulls in
-    dependency on SDL
-  - Fixes reading/writing of GIMI content IDs
-  - Some build fixes
-
--------------------------------------------------------------------
-Tue Jul 29 08:01:31 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
-
-- Remove conditionals for openh264, we can build against noopenh264
-
--------------------------------------------------------------------
-Sat Jul  5 15:51:19 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
-
-- update to 1.20.1:
-  - Fixes a bug in decoder plugin loading.
-- Changes from 1.20.0:
-  - Sequences:
-    - API for reading and writing image sequences. You can read and
-      write sequences for all codecs (not just H.265 / AV1, but
-      also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently
-      only intra-coded sequences are supported.
-    - API for reading and writing metadata sequences. The metadata
-      tracks can contain any raw timed data.
-    - Support for SAI (sample auxiliary information). Timed samples
-      (from image sequences or metadata) can have auxiliary data
-      attached. Currently we support TAI timestamps and GIMI
-      content description IDs.
-    - Support for track references.
-    - The API for sequences is described here:
-      https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences
-    - New command line tool heif-view to show HEIF sequences
-      (requires libSDL).
-  - Other new features:
-    - You can specify a security limit for the maximum total memory
-      libheif may use for decoding. This is easier to handle than
-      specifying limits on the maximum image size or single memory
-      allocations.
-    - Support for TAI timestamps (in images and sequences) has been
-      promoted from experimental to stable.
-    - FFMPEG plugin now supports HDR decoding
-    - Header files are now split into individual headers by topic.
-      However, it should still be backwards compatible with heif.h
-      being a catch-all covering the old content. For new
-      functionality (sequences, TAI), you will need to include the
-      specific headers.
-    - All struct names of the API are now also typedefs.
-- add build requires for brotli which it looks for since 1.18
-- prepare building heif-view
-
--------------------------------------------------------------------
-Sun Apr 27 20:13:21 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
-
-- update to 1.19.8:
-  * Set essential flag for transformative properties as required by
-    MIAF. This fixes the display of AVIF images with transformations
-    encoded by libheif in Chrome, which checks whether this flag is
-    set. This mainly affected images encoded by ImageMagick.
-  * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF,
-    libheif will not check any security limits. This can be used if a
-    user works with large images and the application software does not
-    allow to adjust the libheif security limits.
-  * Resolved processing 16-bit JPEG-2000
+- security update
+- added patches
+  CVE-2025-68431 [bsc#1255735], heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF that exercises the overlay image item
+  * libheif-CVE-2025-68431.patch
 
 -------------------------------------------------------------------
 Mon Mar  3 18:28:54 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>

libheif.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libheif
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,7 @@
 %define gdk_pixbuf_binary_version 2.10.0
 %bcond_with x265
 %bcond_with kvazaar
+%bcond_with openh264
 %bcond_with openjpeg
 %bcond_with openjph
 %bcond_with svtenc
@@ -42,10 +43,8 @@
 %global force_gcc_version 13
 %endif
 
-%bcond_with heif_view
-
 Name:           libheif%{?psuffix}
-Version:        1.20.2
+Version:        1.19.7
 Release:        0
 Summary:        HEIF/AVIF file format decoder and encoder
 License:        LGPL-3.0-only AND MIT
@@ -53,6 +52,8 @@ Group:          Productivity/Graphics/Other
 URL:            https://github.com/strukturag/libheif
 Source0:        %{url}/releases/download/v%{version}/libheif-%{version}.tar.gz
 Source99:       baselibs.conf
+# CVE-2025-68431 [bsc#1255735], heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF that exercises the overlay image item
+Patch0:        libheif-CVE-2025-68431.patch
 BuildRequires:  chrpath
 BuildRequires:  cmake >= 3.25
 BuildRequires:  fdupes
@@ -61,13 +62,8 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(aom)
 BuildRequires:  pkgconfig(dav1d)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
-BuildRequires:  pkgconfig(libavcodec) >= 61
-BuildRequires:  pkgconfig(libbrotlienc)
+BuildRequires:  pkgconfig(libavcodec)
 BuildRequires:  pkgconfig(libjpeg)
-BuildRequires:  pkgconfig(openh264)
-%if %{with heif_view}
-BuildRequires:  pkgconfig(sdl2)
-%endif
 %if %{with openjpeg}
 BuildRequires:  pkgconfig(libopenjp2)
 %endif
@@ -76,6 +72,9 @@ BuildRequires:  pkgconfig(libwebp)
 %if %{with kvazaar}
 BuildRequires:  pkgconfig(kvazaar)
 %endif
+%if %{with openh264}
+BuildRequires:  pkgconfig(openh264)
+%endif
 %if %{with openjph}
 BuildRequires:  pkgconfig(openjph)
 %endif
@@ -315,8 +314,12 @@ sed -i '/add_libheif_test(encode)/d' tests/CMakeLists.txt
 	-DWITH_OpenJPEG_DECODER_PLUGIN=ON \
 	-DWITH_OpenJPEG_ENCODER=ON \
 	-DWITH_OpenJPEG_ENCODER_PLUGIN=ON \
+%if %{with openh264}
 	-DWITH_OpenH264_DECODER=ON \
 	-DWITH_OpenH264_DECODER_PLUGIN=ON \
+%else
+	-DWITH_OpenH264_DECODER=OFF \
+%endif
 %if %{with openjph}
 	-DWITH_OPENJPH_ENCODER=ON \
 	-DWITH_OPENJPH_ENCODER_PLUGIN=ON \
@@ -410,8 +413,10 @@ rm -f %{buildroot}%{_datadir}/thumbnailers/heif.thumbnailer
 %{_libexecdir}/libheif/libheif-j2kenc.so
 %endif
 
+%if %{with openh264}
 %files openh264
 %{_libexecdir}/libheif/libheif-openh264dec.so
+%endif
 
 %if %{with openjph}
 %files openjph