openSUSE-SU-2020:0482

[oss-security] 20170630 exiv2: multiple memory safety issues

This update for exiv2 fixes the following issues :

exiv2 was updated to latest 0.26 branch, fixing bugs and security issues :

  - CVE-2017-1000126: Fixed an out of bounds read in webp     parser (bsc#1068873).

  - CVE-2017-9239: Fixed a segmentation fault in     TiffImageEntry::doWriteImage function (bsc#1040973).

  - CVE-2018-12264: Fixed an integer overflow in     LoaderTiff::getData() which might have led to an     out-of-bounds read (bsc#1097600).

  - CVE-2018-12265: Fixed integer overflows in     LoaderExifJpeg which could have led to memory corruption     (bsc#1097599).

  - CVE-2018-17229: Fixed a heap based buffer overflow in     Exiv2::d2Data via a crafted image (bsc#1109175).

  - CVE-2018-17230: Fixed a heap based buffer overflow in     Exiv2::d2Data via a crafted image (bsc#1109176).

  - CVE-2018-17282: Fixed a NULL pointer dereference in     Exiv2::DataValue::copy (bsc#1109299).

  - CVE-2018-19108: Fixed an integer overflow in     Exiv2::PsdImage::readMetadata which could have led to     infinite loop (bsc#1115364).

  - CVE-2018-19607: Fixed a NULL pointer dereference in     Exiv2::isoSpeed which might have led to denial of     service (bsc#1117513).

  - CVE-2018-9305: Fixed an out of bounds read in     IptcData::printStructure which might have led to to     information leak or denial of service (bsc#1088424).

  - CVE-2019-13114: Fixed a NULL pointer dereference which     might have led to denial of service via a crafted     response of an malicious http server (bsc#1142684).

This update was imported from the SUSE:SLE-15:Update update project.

This update for exiv2 fixes the following issues :

exiv2 was updated to latest 0.26 branch, fixing bugs and security issues :

CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873).

CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973).

CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600).

CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599).

CVE-2018-17229: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175).

CVE-2018-17230: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176).

CVE-2018-17282: Fixed a NULL pointer dereference in Exiv2::DataValue::copy (bsc#1109299).

CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364).

CVE-2018-19607: Fixed a NULL pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513).

CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424).

CVE-2019-13114: Fixed a NULL pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the exiv2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Exiv2 0.26 has a heap-based buffer over-read in     WebPImage::decodeChunks in     webpimage.cpp.(CVE-2018-14046)

  - There is a heap-based buffer over-read in the     Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2     0.27-RC3. A crafted input will lead to a remote denial     of service attack.(CVE-2018-20096)

  - There is a heap-based buffer over-read in     Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in     Exiv2 0.27-RC3. A crafted input will lead to a remote     denial of service attack.(CVE-2018-20098)

  - There is an infinite loop in     Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in     Exiv2 0.27-RC3. A crafted input will lead to a remote     denial of service attack.(CVE-2018-20099)

  - A PngChunk::parseChunkContent uncontrolled memory     allocation in Exiv2 through 0.27.1 allows an attacker     to cause a denial of service (crash due to an     std::bad_alloc exception) via a crafted PNG image     file.(CVE-2019-13112)

  - CiffDirectory::readDirectory() at crwimage_int.cpp in     Exiv2 0.26 has excessive stack consumption due to a     recursive function, leading to Denial of     service.(CVE-2018-17581)

  - In Exiv2 0.26 and previous versions,     PngChunk::readRawProfile in pngchunk_int.cpp may cause     a denial of service (application crash due to a     heap-based buffer over-read) via a crafted PNG     file.(CVE-2018-19535)

  - In types.cpp in Exiv2 0.26, a large size value may lead     to a SIGABRT during an attempt at memory allocation for     an Exiv2::Internal::PngChunk::zlibUncompress     call.(CVE-2018-10958)

  - An issue was discovered in Exiv2 0.26. readMetadata in     jp2image.cpp allows remote attackers to cause a denial     of service (SIGABRT) by triggering an incorrect     Safe::add call.(CVE-2018-10998)

  - An issue was discovered in Exiv2 0.26. The     Exiv2::Internal::PngChunk::parseTXTChunk function has a     heap-based buffer over-read.(CVE-2018-10999)

  - In Exiv2 0.26, Exiv2::PsdImage::readMetadata in     psdimage.cpp in the PSD image reader may suffer from a     denial of service (infinite loop) caused by an integer     overflow via a crafted PSD image file.(CVE-2018-19108)

  - In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp     (called from psdimage.cpp in the PSD image reader) may     suffer from a denial of service (heap-based buffer     over-read) caused by an integer overflow via a crafted     PSD image file.(CVE-2018-19107)

  - An issue was discovered in Exiv2 v0.26. The function     Exiv2::DataValue::copy in value.cpp has a NULL pointer     dereference.(CVE-2018-17282)

  - exiv2 0.26 contains a Stack out of bounds read in webp     parser(CVE-2017-1000126)

  - In Exiv2 0.26, there is a heap-based buffer over-read     in the Exiv2::Image::byteSwap4 function in image.cpp.
    Remote attackers can exploit this vulnerability to     disclose memory data or cause a denial of service via a     crafted TIFF file.(CVE-2017-17723)

  - Exiv2 0.26 has a heap-based buffer overflow in getData     in preview.cpp.(CVE-2018-11531)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135384	openSUSE Security Update : exiv2 (openSUSE-2020-482)	Nessus	SuSE Local Security Checks	medium
135228	SUSE SLED15 / SLES15 Security Update : exiv2 (SUSE-SU-2020:0921-1)	Nessus	SuSE Local Security Checks	medium
130853	EulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2144)	Nessus	Huawei Local Security Checks	high

CVE-2017-1000126

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins