security update

libheif-1.21.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9799b4b1c19006f052bcf399c761cc147e279762683cefaf16871dbb9b4ea2a1
-size 1854592

libheif-CVE-2025-68431.patch

@@ -0,0 +1,23 @@
+From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 11 Nov 2025 19:47:50 +0100
+Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
+ Ristori for reporting this)
+
+---
+ libheif/pixelimage.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: libheif-1.19.7/libheif/pixelimage.cc
+===================================================================
+--- libheif-1.19.7.orig/libheif/pixelimage.cc
++++ libheif-1.19.7/libheif/pixelimage.cc
+@@ -1295,7 +1295,7 @@ Error HeifPixelImage::overlay(std::share
+       if (!has_alpha) {
+         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
+                in_p + in_x0 + y * in_stride,
+-               in_w - in_x0);
++               in_w);
+       }
+       else {
+         for (uint32_t x = in_x0; x < in_w; x++) {

libheif.changes

@@ -1,106 +1,10 @@
 -------------------------------------------------------------------
-Sat Jan  3 17:48:42 UTC 2026 - Arjen de Korte <suse+build@de-korte.org>
+Tue Jan  6 10:11:07 UTC 2026 - Petr Gajdos <pgajdos@suse.com>
 
-- update to 1.21.1:
-  * This patch release only fixes a build error with some GCC versions
-    because of a missing #include.
-
-- update to 1.21.0:
-  * This release adds full support for reading and writing HEIF image
-    sequences. libheif will now encode HEIF image sequences with all
-    included codecs.
-  * Since HEIF image sequences are very similar to MP4 videos, this new
-    version is also capable of decoding most MP4 videos (without audio,
-    of course).
-  * heif-enc documentation for sequence encoding
-  * API documentation for reading and writing sequences
-  * Support for image sequences with alpha channels. For most codecs,
-    the alpha channel will be stored in a separate, auxiliary,
-    monochrome track. For ISO/IEC 23001-17 (uncompressed) streams, the
-    alpha channel is stored in the main video track.
-  * Support for sequence track edit lists to define the number of
-    sequence repetitions (without actually repeating the video data).
-  * New encoder plugin using x264 to write H.264-compressed video
-    streams and images.
-  * The FFmpeg decoder plugin will now decode both H.265 and H.264.
-  * Support for HEIF text items and language properties.
-  * CVEs fixed: CVE-2025-68431
-
--------------------------------------------------------------------
-Thu Sep 11 12:34:56 UTC 2025 - olaf@aepfle.de
-
-- version 1.20 requires at least ffmpeg 4, so go with version 7+
-
--------------------------------------------------------------------
-Fri Aug  8 00:55:54 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
-
-- update to 1.20.2:
-  - When opening tiled images, do not check against maximum image
-    size immediately to allow for tile-based decoding of very large
-    images.
-  - Several smaller fixes in writing image sequences
-  - CMake option to disable building of heif-view, which pulls in
-    dependency on SDL
-  - Fixes reading/writing of GIMI content IDs
-  - Some build fixes
-
--------------------------------------------------------------------
-Tue Jul 29 08:01:31 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
-
-- Remove conditionals for openh264, we can build against noopenh264
-
--------------------------------------------------------------------
-Sat Jul  5 15:51:19 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
-
-- update to 1.20.1:
-  - Fixes a bug in decoder plugin loading.
-- Changes from 1.20.0:
-  - Sequences:
-    - API for reading and writing image sequences. You can read and
-      write sequences for all codecs (not just H.265 / AV1, but
-      also JPEG-2000, ISO-23001-17 uncompressed, ...). Currently
-      only intra-coded sequences are supported.
-    - API for reading and writing metadata sequences. The metadata
-      tracks can contain any raw timed data.
-    - Support for SAI (sample auxiliary information). Timed samples
-      (from image sequences or metadata) can have auxiliary data
-      attached. Currently we support TAI timestamps and GIMI
-      content description IDs.
-    - Support for track references.
-    - The API for sequences is described here:
-      https://github.com/strukturag/libheif/wiki/Reading-and-Writing-Sequences
-    - New command line tool heif-view to show HEIF sequences
-      (requires libSDL).
-  - Other new features:
-    - You can specify a security limit for the maximum total memory
-      libheif may use for decoding. This is easier to handle than
-      specifying limits on the maximum image size or single memory
-      allocations.
-    - Support for TAI timestamps (in images and sequences) has been
-      promoted from experimental to stable.
-    - FFMPEG plugin now supports HDR decoding
-    - Header files are now split into individual headers by topic.
-      However, it should still be backwards compatible with heif.h
-      being a catch-all covering the old content. For new
-      functionality (sequences, TAI), you will need to include the
-      specific headers.
-    - All struct names of the API are now also typedefs.
-- add build requires for brotli which it looks for since 1.18
-- prepare building heif-view
-
--------------------------------------------------------------------
-Sun Apr 27 20:13:21 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
-
-- update to 1.19.8:
-  * Set essential flag for transformative properties as required by
-    MIAF. This fixes the display of AVIF images with transformations
-    encoded by libheif in Chrome, which checks whether this flag is
-    set. This mainly affected images encoded by ImageMagick.
-  * If the environment variable LIBHEIF_SECURITY_LIMITS is set to OFF,
-    libheif will not check any security limits. This can be used if a
-    user works with large images and the application software does not
-    allow to adjust the libheif security limits.
-  * Resolved processing 16-bit JPEG-2000
+- security update
+- added patches
+  CVE-2025-68431 [bsc#1255735], heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF that exercises the overlay image item
+  * libheif-CVE-2025-68431.patch
 
 -------------------------------------------------------------------
 Mon Mar  3 18:28:54 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>

libheif.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libheif
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,9 +26,9 @@
 %endif
 
 %define gdk_pixbuf_binary_version 2.10.0
-%bcond_with x264
 %bcond_with x265
 %bcond_with kvazaar
+%bcond_with openh264
 %bcond_with openjpeg
 %bcond_with openjph
 %bcond_with svtenc
@@ -43,10 +43,8 @@
 %global force_gcc_version 13
 %endif
 
-%bcond_with heif_view
-
 Name:           libheif%{?psuffix}
-Version:        1.21.1
+Version:        1.19.7
 Release:        0
 Summary:        HEIF/AVIF file format decoder and encoder
 License:        LGPL-3.0-only AND MIT
@@ -54,6 +52,8 @@ Group:          Productivity/Graphics/Other
 URL:            https://github.com/strukturag/libheif
 Source0:        %{url}/releases/download/v%{version}/libheif-%{version}.tar.gz
 Source99:       baselibs.conf
+# CVE-2025-68431 [bsc#1255735], heap buffer over-read in `HeifPixelImage::overlay()` via crafted HEIF that exercises the overlay image item
+Patch0:        libheif-CVE-2025-68431.patch
 BuildRequires:  chrpath
 BuildRequires:  cmake >= 3.25
 BuildRequires:  fdupes
@@ -62,13 +62,8 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(aom)
 BuildRequires:  pkgconfig(dav1d)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
-BuildRequires:  pkgconfig(libavcodec) >= 61
-BuildRequires:  pkgconfig(libbrotlienc)
+BuildRequires:  pkgconfig(libavcodec)
 BuildRequires:  pkgconfig(libjpeg)
-BuildRequires:  pkgconfig(openh264)
-%if %{with heif_view}
-BuildRequires:  pkgconfig(sdl2)
-%endif
 %if %{with openjpeg}
 BuildRequires:  pkgconfig(libopenjp2)
 %endif
@@ -77,6 +72,9 @@ BuildRequires:  pkgconfig(libwebp)
 %if %{with kvazaar}
 BuildRequires:  pkgconfig(kvazaar)
 %endif
+%if %{with openh264}
+BuildRequires:  pkgconfig(openh264)
+%endif
 %if %{with openjph}
 BuildRequires:  pkgconfig(openjph)
 %endif
@@ -84,9 +82,6 @@ BuildRequires:  pkgconfig(rav1e)
 %if %{with svtenc}
 BuildRequires:  pkgconfig(SvtAv1Enc)
 %endif
-%if %{with x264}
-BuildRequires:  pkgconfig(x264)
-%endif
 %if %{with x265}
 BuildRequires:  pkgconfig(libde265)
 BuildRequires:  pkgconfig(x265)
@@ -216,17 +211,6 @@ Requires:       libheif1 = %{version}-%{release}
 This plugin provides the SVT-AV1 encoder for AVIF to libheif. Packaged separately
 so that the libraries it requires are not pulled in by default by libheif.
 
-%package x264
-Summary:        Pluging for X264 encoder
-Group:          System/Libraries
-Supplements:    libheif1
-Requires:       libheif1 = %{version}-%{release}
-
-%description x264
-This plugin provides the X264 encoder to write H.264-compressed video to libheif.
-Packaged separately so that the libraries it requires are not pulled in by
-default by libheif.
-
 %package HEIF
 Summary:        Plugin for HEIF decoder and encoder
 Group:          System/Libraries
@@ -296,12 +280,6 @@ sed -i '/add_libheif_test(encode)/d' tests/CMakeLists.txt
 	-DWITH_AOM_ENCODER_PLUGIN=ON \
 	-DWITH_DAV1D=ON \
 	-DWITH_DAV1D_PLUGIN=ON \
-%if %{with x264}
-	-DWITH_X264=ON \
-	-DWITH_X264_PLUGIN=ON \
-%else
-	-DWITH_X264=OFF \
-%endif
 %if %{with x265}
 	-DWITH_X265=ON \
 	-DWITH_LIBDE265=ON \
@@ -336,8 +314,12 @@ sed -i '/add_libheif_test(encode)/d' tests/CMakeLists.txt
 	-DWITH_OpenJPEG_DECODER_PLUGIN=ON \
 	-DWITH_OpenJPEG_ENCODER=ON \
 	-DWITH_OpenJPEG_ENCODER_PLUGIN=ON \
+%if %{with openh264}
 	-DWITH_OpenH264_DECODER=ON \
 	-DWITH_OpenH264_DECODER_PLUGIN=ON \
+%else
+	-DWITH_OpenH264_DECODER=OFF \
+%endif
 %if %{with openjph}
 	-DWITH_OPENJPH_ENCODER=ON \
 	-DWITH_OPENJPH_ENCODER_PLUGIN=ON \
@@ -431,8 +413,10 @@ rm -f %{buildroot}%{_datadir}/thumbnailers/heif.thumbnailer
 %{_libexecdir}/libheif/libheif-j2kenc.so
 %endif
 
+%if %{with openh264}
 %files openh264
 %{_libexecdir}/libheif/libheif-openh264dec.so
+%endif
 
 %if %{with openjph}
 %files openjph
@@ -447,11 +431,6 @@ rm -f %{buildroot}%{_datadir}/thumbnailers/heif.thumbnailer
 %{_libexecdir}/libheif/libheif-svtenc.so
 %endif
 
-%if %{with x264}
-%files x264
-%{_libexecdir}/libheif/libheif-x264.so
-%endif
-
 %if %{with x265}
 %files HEIF
 %{_libexecdir}/libheif/libheif-libde265.so