Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3265-1 exiv2

Debian Security Advisory

DLA-3265-1 exiv2 -- LTS security update

Date Reported:

11 Jan 2023

Affected Packages:

exiv2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 876893, Bug 885981, Bug 886006, Bug 903813, Bug 910060, Bug 913272, Bug 913273, Bug 915135.
In Mitre's CVE dictionary: CVE-2017-11591, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-18005, CVE-2018-8976, CVE-2018-17581, CVE-2018-19107, CVE-2018-19108, CVE-2018-19535, CVE-2018-20097, CVE-2019-13110, CVE-2019-13112, CVE-2019-13114, CVE-2019-13504, CVE-2019-14369, CVE-2019-14370, CVE-2019-17402, CVE-2020-18771, CVE-2021-29458, CVE-2021-32815, CVE-2021-34334, CVE-2021-37620, CVE-2021-37621, CVE-2021-37622.

More information:

This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2.

• CVE-2017-11591

  There is a Floating point exception in the Exiv2::ValueType function that will lead to a remote denial of service attack via crafted input.

• CVE-2017-14859

  An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

• CVE-2017-14862

  An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

• CVE-2017-14864

  An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

• CVE-2017-17669

  There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file will lead to a remote denial of service attack.

• CVE-2017-18005

  Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

• CVE-2018-8976

  jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.

• CVE-2018-17581

  CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack consumption due to a recursive function, leading to Denial of service.

• CVE-2018-19107

  Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.

• CVE-2018-19108

  Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.

• CVE-2018-19535

  PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.

• CVE-2018-20097

  There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp. A crafted input will lead to a remote denial of service attack.

• CVE-2019-13110

  A CiffDirectory::readDirectory integer overflow and out-of-bounds read allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.

• CVE-2019-13112

  A PngChunk::parseChunkContent uncontrolled memory allocation allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.

• CVE-2019-13114

  http.c allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.

• CVE-2019-13504

  There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp.

• CVE-2019-14369

  Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a denial of service (heap-based buffer over- read) via a crafted image file.

• CVE-2019-14370

  There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service.

• CVE-2019-17402

  Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

• CVE-2020-18771

  Exiv2 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak.

• CVE-2021-29458

  An out-of-bounds read was found in Exiv2. The out-of- bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert.

• CVE-2021-32815

  The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fi.

• CVE-2021-34334

  An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file.

• CVE-2021-37620

  An out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file.

• CVE-2021-37621

  An infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (-p C).

• CVE-2021-37622

  An infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (-d I rm).

For Debian 10 buster, these problems have been fixed in version 0.25-4+deb10u4.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS