Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.5503
exempi security update
26 September 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: exempi
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42532 CVE-2021-42531 CVE-2021-42530
CVE-2021-42529 CVE-2021-42528 CVE-2021-40732
CVE-2021-40716 CVE-2021-39847 CVE-2021-36064
CVE-2021-36058 CVE-2021-36057 CVE-2021-36056
CVE-2021-36055 CVE-2021-36054 CVE-2021-36053
CVE-2021-36052 CVE-2021-36051 CVE-2021-36050
CVE-2021-36048 CVE-2021-36047 CVE-2021-36046
CVE-2021-36045 CVE-2020-18652 CVE-2020-18651
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html
Comment: CVSS (Max): 7.8 CVE-2021-42532 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: [Adobe Systems Incorporated], NIST
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3585-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
September 25, 2023 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : exempi
Version : 2.5.0-2+deb10u1
CVE ID : CVE-2020-18651 CVE-2020-18652 CVE-2021-36045 CVE-2021-36046
CVE-2021-36047 CVE-2021-36048 CVE-2021-36050 CVE-2021-36051
CVE-2021-36052 CVE-2021-36053 CVE-2021-36054 CVE-2021-36055
CVE-2021-36056 CVE-2021-36057 CVE-2021-36058 CVE-2021-36064
CVE-2021-39847 CVE-2021-40716 CVE-2021-40732 CVE-2021-42528
CVE-2021-42529 CVE-2021-42530 CVE-2021-42531 CVE-2021-42532
Multiple vulneratibilities were found in exempi, an implementation of XMP
(Extensible Metadata Platform).
CVE-2020-18651
A Buffer Overflow vulnerability was found
in function ID3_Support::ID3v2Frame::getFrameValue
allows remote attackers to cause a denial of service.
CVE-2020-18652
A Buffer Overflow vulnerability was found in
WEBP_Support.cpp allows remote attackers to cause a
denial of service.
CVE-2021-36045
An out-of-bounds read vulnerability was found
that could lead to disclosure of arbitrary memory.
CVE-2021-36046
A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current use
CVE-2021-36047
An Improper Input Validation vulnerability was found,
potentially resulting in arbitrary
code execution in the context of the current use.
CVE-2021-36048
An Improper Input Validation was found,
potentially resulting in arbitrary
code execution in the context of the current user.
CVE-2021-36050
A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.
CVE-2021-36051
A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.
CVE-2021-36052
A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.
CVE-2021-36053
An out-of-bounds read vulnerability was found,
that could lead to disclosure of arbitrary memory.
CVE-2021-36054
A buffer overflow vulnerability was found potentially
resulting in local application denial of service.
CVE-2021-36055
A use-after-free vulnerability was found that could
result in arbitrary code execution.
CVE-2021-36056
A buffer overflow vulnerability was found, potentially
resulting in arbitrary code execution in the context of
the current user.
CVE-2021-36057
A write-what-where condition vulnerability was found,
caused during the application's memory allocation process.
This may cause the memory management functions to become
mismatched resulting in local application denial of service
in the context of the current user.
CVE-2021-36058
An Integer Overflow vulnerability was found, potentially
resulting in application-level denial of service in the
context of the current user.
CVE-2021-36064
A Buffer Underflow vulnerability was found which
could result in arbitrary code execution in the context
of the current user
CVE-2021-39847
A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.
CVE-2021-40716
An out-of-bounds read vulnerability was found that
could lead to disclosure of sensitive memory
CVE-2021-40732
A null pointer dereference vulnerability was found,
that could result in leaking data from certain memory
locations and causing a local denial of service
CVE-2021-42528
A Null pointer dereference vulnerability was found
when parsing a specially crafted file. An unauthenticated attacker
could leverage this vulnerability to achieve an application
denial-of-service in the context of the current user.
CVE-2021-42529
A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution
in the context of the current user.
CVE-2021-42530
A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution in the
context of the current user.
CVE-2021-42531
A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in
the context of the current user
CVE-2021-42532
A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.
For Debian 10 buster, these problems have been fixed in version
2.5.0-2+deb10u1.
We recommend that you upgrade your exempi packages.
For the detailed security status of exempi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exempi
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmUSC6gACgkQADoaLapB
CF8hpA/9EMn9GrpCjfxPjbP8FlnCEUUNcNYkXlA7jnAVpH2nGwen/RseZp8uOgiR
75kyCzgrwkjvFPL8ZPgMNsUOntYbASbA2xKrlE5Qivf8+rizhouY/bLJ8DUm2+Zz
8mK6Dri3ZPsPd8Q1ymPANc9vV6QRTjzIYKk/adO1R4lK5Lb1J9Vq2Q5FSL+hoheC
wJoVL2xZT2iWRA6PiLKcLNGRcEWYsyBXK7wscnd4/bopnLeSy6GBfdhqPHpeKEvw
mZEp298+sg25N4NEm5RPzSJbk5UJaT/ySbQThSu88Jrr+GCcD9YqR6y2Md+efqCM
zxvePjC9m+BozLkZLVKQY6CQktHKG2ZW5HvYdw+NqBwV0vpfsd3a5qh918Nj5YOI
Ac+HHS27VaIcTWFWOo2/DTuqvnQL++fPZE6Jn3va/46VQXa4y9rOYl+QJS5TAd46
56IknBbA1nZwf4bvs8rd859e2MV+aBLuhMJgUIrxJ00La6ehtxtxN2fGzistVaUD
JqXFPdvWwtRAqiKLrW+htlrszjlbC2rITdEZ3ySZLkDNBwrZunRVaJZTqBU0/d6d
5xk7za0b8VElQ/xoBGQUly2R2WICt+mTJ5rH7bFbjSmyHcGZJfrmBENwFKbgBRFM
1Dww4m7PnreUWJSKTYERFevcgwDHoFGbXGYkzaRreYjlxDg/G4E=
=KI0r
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZRI5RskNZI30y1K9AQjBSg//R/xo4IwqUJ2aAJRrjxXTvvLD32jMllqd
Nwtg5Ix9r1kWwoJlUDsRqB2IgsKkhAVfP4I+qmzFisAAcSKvZ5hydXVECOgtuUxi
HcHkYRoCmNv1aQ9nFUXk145YYCuULvt41RnomjdXRjxw+Qg2HuFiilKMBM2TwZSA
JaRObDNbqUIISkbtnIKxhYgcgeBFJgtlJpUKJHVRYKYEcdwNKSt+A8uEP9aLHF61
1at0oI6WE4FAtJIw3k8fwH5PhxSd8oVDL7K/zHQ3hHg+qi9KywUc7GlB8OQOotoY
yQmlvjAbVXZkHeOMV0wAIR4dGLEYpNRQUdRvQMRpdluLjyl8JfEOwimOPQKs8rI+
t+UggSztlIvPcPwuiX5IVnt+Yk0oJwJ76KNLe5dJ0dhGIlypCbyJmkP6/xGuLBCu
CvWZGzYkUZqFNzsY6lCSIAJj6tlt7k6LLMTaX4aoFYfCqCSSgplVDVIyeTxVJGqS
RVsv+qECpzfUnCn1In1CLoWjXfclwlXb653DOUZ4yvi7eeES4YWO8yS3VyNx8Hyz
LeQlDpNWWYW0nrvR1fQ2NxhBBXFYcYO0LD4vH0vBdeVMfQ2tfib0RKzA07EE6zps
YGtN6zTkqrTj4XpoRkCeSXGYp5mDVb6getIZGh99YFt+c24d/n78b5rSzkNCDnht
p6faViJWc7A=
=cSRJ
-----END PGP SIGNATURE-----