------------------------------------------------------------------------- Debian LTS Advisory DLA-3265-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Helmut Grohne January 10, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : exiv2 Version : 0.25-4+deb10u4 CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864 CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504 CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771 CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135 932467 946341 987277 992705 992706 This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2. CVE-2017-11591 There is a Floating point exception in the Exiv2::ValueType function that will lead to a remote denial of service attack via crafted input. CVE-2017-14859 An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14862 An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14864 An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-17669 There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file will lead to a remote denial of service attack. CVE-2017-18005 Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file. CVE-2018-8976 jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file. CVE-2018-17581 CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack consumption due to a recursive function, leading to Denial of service. CVE-2018-19107 Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file. CVE-2018-19108 Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file. CVE-2018-19535 PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file. CVE-2018-20097 There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp. A crafted input will lead to a remote denial of service attack. CVE-2019-13110 A CiffDirectory::readDirectory integer overflow and out-of-bounds read allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file. CVE-2019-13112 A PngChunk::parseChunkContent uncontrolled memory allocation allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file. CVE-2019-13114 http.c allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character. CVE-2019-13504 There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp. CVE-2019-14369 Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a denial of service (heap-based buffer over- read) via a crafted image file. CVE-2019-14370 There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service. CVE-2019-17402 Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. CVE-2020-18771 Exiv2 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak. CVE-2021-29458 An out-of-bounds read was found in Exiv2. The out-of- bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. CVE-2021-32815 The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. CVE-2021-34334 An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. CVE-2021-37620 An out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. CVE-2021-37621 An infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). CVE-2021-37622 An infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). For Debian 10 buster, these problems have been fixed in version 0.25-4+deb10u4. We recommend that you upgrade your exiv2 packages. For the detailed security status of exiv2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exiv2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature