Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0146 exiv2 security update 11 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: exiv2 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-37622 CVE-2021-37621 CVE-2021-37620 CVE-2021-34334 CVE-2021-32815 CVE-2021-29458 CVE-2020-18771 CVE-2019-17402 CVE-2019-14370 CVE-2019-14369 CVE-2019-13504 CVE-2019-13114 CVE-2019-13112 CVE-2019-13110 CVE-2018-20097 CVE-2018-19535 CVE-2018-19108 CVE-2018-19107 CVE-2018-17581 CVE-2018-8976 CVE-2017-18005 CVE-2017-17669 CVE-2017-14864 CVE-2017-14862 CVE-2017-14859 CVE-2017-11591 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html Comment: CVSS (Max): 8.1 CVE-2020-18771 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3265-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Helmut Grohne January 10, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : exiv2 Version : 0.25-4+deb10u4 CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864 CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504 CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771 CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135 932467 946341 987277 992705 992706 This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2. CVE-2017-11591 There is a Floating point exception in the Exiv2::ValueType function that will lead to a remote denial of service attack via crafted input. CVE-2017-14859 An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14862 An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14864 An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-17669 There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file will lead to a remote denial of service attack. CVE-2017-18005 Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file. CVE-2018-8976 jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file. CVE-2018-17581 CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack consumption due to a recursive function, leading to Denial of service. CVE-2018-19107 Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file. CVE-2018-19108 Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file. CVE-2018-19535 PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file. CVE-2018-20097 There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp. A crafted input will lead to a remote denial of service attack. CVE-2019-13110 A CiffDirectory::readDirectory integer overflow and out-of-bounds read allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file. CVE-2019-13112 A PngChunk::parseChunkContent uncontrolled memory allocation allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file. CVE-2019-13114 http.c allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character. CVE-2019-13504 There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp. CVE-2019-14369 Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a denial of service (heap-based buffer over- read) via a crafted image file. CVE-2019-14370 There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service. CVE-2019-17402 Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. CVE-2020-18771 Exiv2 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak. CVE-2021-29458 An out-of-bounds read was found in Exiv2. The out-of- bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. CVE-2021-32815 The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. CVE-2021-34334 An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. CVE-2021-37620 An out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. CVE-2021-37621 An infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). CVE-2021-37622 An infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). For Debian 10 buster, these problems have been fixed in version 0.25-4+deb10u4. We recommend that you upgrade your exiv2 packages. For the detailed security status of exiv2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exiv2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmO9misACgkQLRqqzyRE REIBGhAAjDN/9fdrTRF0b/sdwjglAoRVCBLp06EhvdSUhsNNSh94tW1cvFf9sz2Y WCZQWfnA+gVC1axIKzMOvv3XQGcctC9TkkENQBddbQGqqnq3XBGQ4Rn2RfhqDZVI kw7yyabnOg+Vdfgv+m3BQR+soEs+1+YZGR4ElGWlJjWv67t5HPOcm59FGsHMuzgf wjyt4lsR3ij2kf3H8i+oMUe5ovXIUFEsCF53dgF3J8nxTVTmRyd20NrUUKRM/9Gi ntggZjFUHtu+IokKeER1OOrHDWTsQQQlp1TxCMh/Ck2rjzI2EmqWNHTtcThiMywb m87L85oYmRFqP4YtxnLoPQ2rwp/+W5InKcuLSY0byaBTICpRozuiSV4G6UMZUHdD a2fhXXTjZCH+8enphCDZskA+fXGHbGRPqpDk+6Fi9ISnzrQ988ofBwIyHZfXlXi8 3XZR9Jf14zoQR7pOkPbK9SOWUk3AIjnUsC3qLTsqpCAPo2bjt0oXMzKD0AaWQwfS BcOARwsmG4/VIHApF/7oJeOF3jR6J4mzvS6sbpWugLUupb5ZYzvYDp1Z2ok2M13H gPeLFDMNZ6ZsJIxKDcU7PXwpTztGuh0tie40DagB5DqP1BdSGkYjTjlVHPdE4hbg p3RLHi2ZUrhAoG6EivaHHGnlQQk2hq0bnGlrysLuyMjaU65fgDo= =hy63 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY74R+ckNZI30y1K9AQgJZg/8DaDUsDcjx7wNeKePwbjhqbLsn97ciYd8 11XhDgKEI9h8BLpJ7x5k1wGWqp+CyGVDv0TQnnhgGjmlO0K7KmVBlQYNEvbVIV7C bKsG56SwmXCsZ4+XaEKJbvg+MWmBdpe44ZeBjvKrZLDs6JwuoL2Na1bjd5ok12ND iKj9/3Qjb2Jtosd7dgenh5NZ42n9hUw6G6RFzXzld1Ss6kikkWAB+2IoBYvlkmF5 69FJrIvyioDwBYwEB/YQV4fui1n3GyRA8PPGgVscuV/HyboO2RPpj03JdU6fbTHM XXkdhpe5owk0irDbPDIXl6MhJfjsIlfgb9wlRUe6NF0ceTfmO42WSXbQ5RvH5v3E Z79MNAdSEXYbjBHbMLc7kH0YfDrTmuj0Xbsl5GYu1hXVqwZRBvFxPQnZ52IrhRyD rTHICEbxr1zf4EDY6+W/OBZqVFV8R/yIjNG2Fvc7Slm2jVtFywxpLwn/ULpBS1a3 x2q5mUV2ggz5F7wXSYvBSUgAIGGm6M4sGPEEMz46QkWULXHhTzqIT/+xqRBCIhgt cv/UAjUSMiBacMzwAfueJeM0l9R41S22yGvH+9lURYAysLSjHdqoc4Xtj5Gy6eBR hO72ahc2q8Om3LFwLnyrpNLDlGlD0FhMtyrMaaGPU8K6o8m4FXDrzDMXLvbddC1b iRlmnzknX4s= =Dmz/ -----END PGP SIGNATURE-----