Marked for autoremoval on 07 November: #941097high
Version 8.7.4-1 of vips is marked for autoremoval from testing on Thu 07 Nov 2019. It is affected by #941097. The removal of vips will also cause the removal of (transitive) reverse dependency: nip2. You should try to prevent the removal by fixing these RC bugs.
CVE-2019-17534: vips_foreign_load_gif_scan_image in foreign/gifload.c in libvips before 8.8.2 tries to access a color map before a DGifGetImageDesc call, leading to a use-after-free.
2 issues skipped by the security teams:
CVE-2019-6976: libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.
CVE-2018-7998: In libvips before 8.6.3, a NULL function pointer dereference vulnerability was found in the vips_region_generate function in region.c, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image file. This occurs because of a race condition involving a failed delayed load and other worker threads.