Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0146
exiv2 security update
11 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: exiv2
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2021-37622 CVE-2021-37621 CVE-2021-37620
CVE-2021-34334 CVE-2021-32815 CVE-2021-29458
CVE-2020-18771 CVE-2019-17402 CVE-2019-14370
CVE-2019-14369 CVE-2019-13504 CVE-2019-13114
CVE-2019-13112 CVE-2019-13110 CVE-2018-20097
CVE-2018-19535 CVE-2018-19108 CVE-2018-19107
CVE-2018-17581 CVE-2018-8976 CVE-2017-18005
CVE-2017-17669 CVE-2017-14864 CVE-2017-14862
CVE-2017-14859 CVE-2017-11591
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
Comment: CVSS (Max): 8.1 CVE-2020-18771 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3265-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Helmut Grohne
January 10, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : exiv2
Version : 0.25-4+deb10u4
CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864
CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581
CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097
CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504
CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771
CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620
CVE-2021-37621 CVE-2021-37622
Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135
932467 946341 987277 992705 992706
This update fixes a number of memory access violations and other input
validation failures that can be triggered by passing specially crafted files to
exiv2.
CVE-2017-11591
There is a Floating point exception in the Exiv2::ValueType function that
will lead to a remote denial of service attack via crafted input.
CVE-2017-14859
An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.
CVE-2017-14862
An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.
CVE-2017-14864
An Invalid memory address dereference was discovered in Exiv2::getULong in
types.cpp. The vulnerability causes a segmentation fault and application
crash, which leads to denial of service.
CVE-2017-17669
There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A
crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005
Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong
function in value.cpp, related to crafted metadata in a TIFF file.
CVE-2018-8976
jpgimage.cpp allows remote attackers to cause a denial of service
(image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted
file.
CVE-2018-17581
CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack
consumption due to a recursive function, leading to Denial of service.
CVE-2018-19107
Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD
image reader) may suffer from a denial of service (heap-based buffer
over-read) caused by an integer overflow via a crafted PSD image file.
CVE-2018-19108
Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may
suffer from a denial of service (infinite loop) caused by an integer
overflow via a crafted PSD image file.
CVE-2018-19535
PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service
(application crash due to a heap-based buffer over-read) via a crafted PNG
file.
CVE-2018-20097
There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
tiffimage_int.cpp. A crafted input will lead to a remote denial of service
attack.
CVE-2019-13110
A CiffDirectory::readDirectory integer overflow and out-of-bounds read
allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW
image file.
CVE-2019-13112
A PngChunk::parseChunkContent uncontrolled memory allocation allows an
attacker to cause a denial of service (crash due to an std::bad_alloc
exception) via a crafted PNG image file.
CVE-2019-13114
http.c allows a malicious http server to cause a denial of service (crash
due to a NULL pointer dereference) by returning a crafted response that
lacks a space character.
CVE-2019-13504
There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in
mrwimage.cpp.
CVE-2019-14369
Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a
denial of service (heap-based buffer over- read) via a crafted image file.
CVE-2019-14370
There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in
mrwimage.cpp. It could result in denial of service.
CVE-2019-17402
Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp
when called from Exiv2::Internal::CiffDirectory::readDirectory in
crwimage_int.cpp, because there is no validation of the relationship of the
total size to the offset and size.
CVE-2020-18771
Exiv2 has a global buffer over-read in
Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can
result in an information leak.
CVE-2021-29458
An out-of-bounds read was found in Exiv2. The out-of- bounds read is
triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
writing the metadata, which is a less frequently used Exiv2 operation than
reading the metadata. For example, to trigger the bug in the Exiv2
command-line application, you need to add an extra command-line argument
such as insert.
CVE-2021-32815
The assertion
failure is triggered when Exiv2 is used to modify the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. Note that this bug
is only triggered when modifying the metadata, which is a less
frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as `fi`.
CVE-2021-34334
An infinite loop is triggered when Exiv2 is used to read the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file.
CVE-2021-37620
An out-of-bounds read is triggered when Exiv2 is used to read the metadata
of a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file.
CVE-2021-37621
An infinite loop is triggered when Exiv2 is used to print the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
printing the image ICC profile, which is a less frequently used Exiv2
operation that requires an extra command line option (`-p C`).
CVE-2021-37622
An infinite loop is triggered when Exiv2 is used to modify the metadata of
a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file. Note that this bug is only
triggered when deleting the IPTC data, which is a less frequently used
Exiv2 operation that requires an extra command line option (`-d I rm`).
For Debian 10 buster, these problems have been fixed in version
0.25-4+deb10u4.
We recommend that you upgrade your exiv2 packages.
For the detailed security status of exiv2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exiv2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmO9misACgkQLRqqzyRE
REIBGhAAjDN/9fdrTRF0b/sdwjglAoRVCBLp06EhvdSUhsNNSh94tW1cvFf9sz2Y
WCZQWfnA+gVC1axIKzMOvv3XQGcctC9TkkENQBddbQGqqnq3XBGQ4Rn2RfhqDZVI
kw7yyabnOg+Vdfgv+m3BQR+soEs+1+YZGR4ElGWlJjWv67t5HPOcm59FGsHMuzgf
wjyt4lsR3ij2kf3H8i+oMUe5ovXIUFEsCF53dgF3J8nxTVTmRyd20NrUUKRM/9Gi
ntggZjFUHtu+IokKeER1OOrHDWTsQQQlp1TxCMh/Ck2rjzI2EmqWNHTtcThiMywb
m87L85oYmRFqP4YtxnLoPQ2rwp/+W5InKcuLSY0byaBTICpRozuiSV4G6UMZUHdD
a2fhXXTjZCH+8enphCDZskA+fXGHbGRPqpDk+6Fi9ISnzrQ988ofBwIyHZfXlXi8
3XZR9Jf14zoQR7pOkPbK9SOWUk3AIjnUsC3qLTsqpCAPo2bjt0oXMzKD0AaWQwfS
BcOARwsmG4/VIHApF/7oJeOF3jR6J4mzvS6sbpWugLUupb5ZYzvYDp1Z2ok2M13H
gPeLFDMNZ6ZsJIxKDcU7PXwpTztGuh0tie40DagB5DqP1BdSGkYjTjlVHPdE4hbg
p3RLHi2ZUrhAoG6EivaHHGnlQQk2hq0bnGlrysLuyMjaU65fgDo=
=hy63
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY74R+ckNZI30y1K9AQgJZg/8DaDUsDcjx7wNeKePwbjhqbLsn97ciYd8
11XhDgKEI9h8BLpJ7x5k1wGWqp+CyGVDv0TQnnhgGjmlO0K7KmVBlQYNEvbVIV7C
bKsG56SwmXCsZ4+XaEKJbvg+MWmBdpe44ZeBjvKrZLDs6JwuoL2Na1bjd5ok12ND
iKj9/3Qjb2Jtosd7dgenh5NZ42n9hUw6G6RFzXzld1Ss6kikkWAB+2IoBYvlkmF5
69FJrIvyioDwBYwEB/YQV4fui1n3GyRA8PPGgVscuV/HyboO2RPpj03JdU6fbTHM
XXkdhpe5owk0irDbPDIXl6MhJfjsIlfgb9wlRUe6NF0ceTfmO42WSXbQ5RvH5v3E
Z79MNAdSEXYbjBHbMLc7kH0YfDrTmuj0Xbsl5GYu1hXVqwZRBvFxPQnZ52IrhRyD
rTHICEbxr1zf4EDY6+W/OBZqVFV8R/yIjNG2Fvc7Slm2jVtFywxpLwn/ULpBS1a3
x2q5mUV2ggz5F7wXSYvBSUgAIGGm6M4sGPEEMz46QkWULXHhTzqIT/+xqRBCIhgt
cv/UAjUSMiBacMzwAfueJeM0l9R41S22yGvH+9lURYAysLSjHdqoc4Xtj5Gy6eBR
hO72ahc2q8Om3LFwLnyrpNLDlGlD0FhMtyrMaaGPU8K6o8m4FXDrzDMXLvbddC1b
iRlmnzknX4s=
=Dmz/
-----END PGP SIGNATURE-----