[SECURITY] [DLA 1691-1] exiv2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1691-1] exiv2 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 26 Feb 2019 22:17:33 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.20.1902262214410.17428@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

From: Thorsten Alteholz <debian@alteholz.de>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1691-1] exiv2 security update

Package        : exiv2
Version        : 0.24-4.1+deb8u3
CVE ID         : CVE-2018-17581 CVE-2018-19107 CVE-2018-19108
                 CVE-2018-19535 CVE-2018-20097

Several issues have been found in exiv2, a EXIF/IPTC/XMP metadatamanipulation tool.


CVE-2018-17581
     A stack overflow due to a recursive function call causing excessive
     stack consumption which leads to denial of service.

CVE-2018-19107
     A heap based buffer over-read caused by an integer overflow could
     result in a denial of service via a crafted file.

CVE-2018-19108
     There seems to be an infinite loop inside a function that can be
     activated by a crafted image.

CVE-2018-19535
     A heap based buffer over-read caused could result in a denial of
     service via a crafted file.

CVE-2018-20097
     A crafted image could result in a denial of service.


For Debian 8 "Jessie", these problems have been fixed in version
0.24-4.1+deb8u3.

We recommend that you upgrade your exiv2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlx1rO1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd/fQ/+O2W/sm2Ygzl9nXoGCxZ4FHK2batc0Q15L25Xn4OnSmC7vY5HTuJfu1Jb
knoMNnPeeMbVjseaRgAzrBKOecvoXFDNj41WWCi5TRPFwgRxR7c5VOGWz2QAC7If
q1pTSgPWUwjf+3fjKn2AfOdpx1UtuMtAcb2ETkDJ6elw3RFFEBhjXPJ5hU21ZK1B
frbqMceEjhh4hjd0pPiVxZyb21iYlpnZLo3admzYs6JIz7mvwXlcY9Sfc77M1AnR
Iccpr2XuuemLYCUREr1ZotdTeIH+zDXUKpDiGvviVk5WNMK8m7HMODZkY7Rb3cwe
G6WYUecexCwK2J3WugC3IDvwdW+wIve1avhzBWSk/DIkkDMarG8xkCQUAvaKfXVV
YIi7WUqnWXGJ19WczMx1Jh0dM6g7UEubNVyE3j0uzyNcZSqzu/ZPzIqjb/SWsah2
QCyJKuDbQDaWIgneBsniMH0qBwMsPCcHg8tRuV9JG/sc+lJlTjb7hzJaBTzMbjNc
vTEgVa/6u8NYPxhurUeKbz1HX9ypZqwDJ6AaH1Kqd93Z2oTPQBw+npKl5TL8PSIJ
gRA38yV44O6xksJfCuccFEEw6pOuDg1OmiZESYXlSe13KzO7LaqD1YY13LfajhSH
+Afhmlv9ICWiEA5TtuP59+Ku3LVw1aoitGzEwqDShoJinM5KTzY=
=tH8D
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1690-1] liblivemedia security update
Next by Date: [SECURITY] [DLA 1692-1] phpmyadmin security update
Previous by thread: [SECURITY] [DLA 1690-1] liblivemedia security update
Next by thread: [SECURITY] [DLA 1692-1] phpmyadmin security update
Index(es):
- Date
- Thread