RHSA-2019:2048

https://bugs.freedesktop.org/show_bug.cgi?id=105204

https://cgit.freedesktop.org/exempi/commit/?id=6cbd34025e5fd3ba47b29b602096e456507ce83b

[debian-lts-announce] 20180321 [SECURITY] [DLA 1310-1] exempi security update

FEDORA-2020-e22e9a655d

USN-3668-1

Update to latest upstream release 0.3.15 (#1885156)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has exempi packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in Exempi before 2.4.3. It     allows remote attackers to cause a denial of service     (invalid memcpy with resultant use-after-free) or     possibly have unspecified other impact via a .pdf file     containing JPEG data, related to     XMPFiles/source/FormatSupport/ReconcileTIFF.cpp,     XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and     XMPFiles/source/FormatSupport/TIFF_Support.hpp.
    (CVE-2017-18234)

  - An issue was discovered in Exempi before 2.4.4. The     TradQT_Manager::ParseCachedBoxes function in     XMPFiles/source/FormatSupport/QuickTime_Support.cpp     allows remote attackers to cause a denial of service     (infinite loop) via crafted XMP data in a .qt file.
    (CVE-2017-18238)

  - An issue was discovered in Exempi through 2.4.4. A     certain case of a 0xffffffff length is mishandled in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp,     leading to a heap-based buffer over-read in the     PSD_MetaHandler::CacheFileData() function.
    (CVE-2018-7730)

  - An issue was discovered in Exempi before 2.4.4. The     ASF_Support::ReadHeaderObject function in     XMPFiles/source/FormatSupport/ASF_Support.cpp allows     remote attackers to cause a denial of service (infinite     loop) via a crafted .asf file. (CVE-2017-18236)

  - An issue was discovered in Exempi before 2.4.4. Integer     overflow in the Chunk class in     XMPFiles/source/FormatSupport/RIFF.cpp allows remote     attackers to cause a denial of service (infinite loop)     via crafted XMP data in a .avi file. (CVE-2017-18233)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the exempi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in Exempi before 2.4.4. Integer     overflow in the Chunk class in     XMPFiles/source/FormatSupport/RIFF.cpp allows remote     attackers to cause a denial of service (infinite loop)     via crafted XMP data in a .avi file.(CVE-2017-18233)

  - An issue was discovered in Exempi before 2.4.4. The     ASF_Support::ReadHeaderObject function in     XMPFiles/source/FormatSupport/ASF_Support.cpp allows     remote attackers to cause a denial of service (infinite     loop) via a crafted .asf file.(CVE-2017-18236)

  - An issue was discovered in Exempi before 2.4.4. The     TradQT_Manager::ParseCachedBoxes function in     XMPFiles/source/FormatSupport/QuickTime_Support.cpp     allows remote attackers to cause a denial of service     (infinite loop) via crafted XMP data in a .qt     file.(CVE-2017-18238)

  - An issue was discovered in Exempi through 2.4.4. A     certain case of a 0xffffffff length is mishandled in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp,     leading to a heap-based buffer over-read in the     PSD_MetaHandler::CacheFileData()     function.(CVE-2018-7730)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the exempi package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - An issue was discovered in Exempi through 2.4.4. A     certain case of a 0xffffffff length is mishandled in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp,     leading to a heap-based buffer over-read in the     PSD_MetaHandler::CacheFileData()     function.(CVE-2018-7730)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in Exempi before 2.4.4. Integer overflow in the Chunk class in XMPFiles/source/FormatSupport/RIFF.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .avi file.(CVE-2017-18233)

An issue was discovered in Exempi before 2.4.3. It allows remote attackers to cause a denial of service (invalid memcpy with resultant use-after-free) or possibly have unspecified other impact via a .pdf file containing JPEG data, related to XMPFiles/source/FormatSupport/ReconcileTIFF.cpp, XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and XMPFiles/source/FormatSupport/TIFF_Support.hpp.(CVE-2017-18234)

An issue was discovered in Exempi before 2.4.4. The ASF_Support::ReadHeaderObject function in XMPFiles/source/FormatSupport/ASF_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted .asf file.(CVE-2017-18236)

An infinite loop has been discovered in Exempi in the way it handles Extensible Metadata Platform (XMP) data in QuickTime files. An attacker could cause a denial of service via a crafted file.(CVE-2017-18238)

An integer wraparound, leading to a buffer overflow, was found in Exempi in the way it handles Adobe Photoshop Images. An attacker could exploit this to cause a denial of service via a crafted image file.(CVE-2018-7730)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has exempi packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in Exempi before 2.4.3. It     allows remote attackers to cause a denial of service     (invalid memcpy with resultant use-after-free) or     possibly have unspecified other impact via a .pdf file     containing JPEG data, related to     XMPFiles/source/FormatSupport/ReconcileTIFF.cpp,     XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and     XMPFiles/source/FormatSupport/TIFF_Support.hpp.
    (CVE-2017-18234)

  - An issue was discovered in Exempi before 2.4.4. The     TradQT_Manager::ParseCachedBoxes function in     XMPFiles/source/FormatSupport/QuickTime_Support.cpp     allows remote attackers to cause a denial of service     (infinite loop) via crafted XMP data in a .qt file.
    (CVE-2017-18238)

  - An issue was discovered in Exempi through 2.4.4. A     certain case of a 0xffffffff length is mishandled in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp,     leading to a heap-based buffer over-read in the     PSD_MetaHandler::CacheFileData() function.
    (CVE-2018-7730)

  - An issue was discovered in Exempi before 2.4.4. The     ASF_Support::ReadHeaderObject function in     XMPFiles/source/FormatSupport/ASF_Support.cpp allows     remote attackers to cause a denial of service (infinite     loop) via a crafted .asf file. (CVE-2017-18236)

  - An issue was discovered in Exempi before 2.4.4. Integer     overflow in the Chunk class in     XMPFiles/source/FormatSupport/RIFF.cpp allows remote     attackers to cause a denial of service (infinite loop)     via crafted XMP data in a .avi file. (CVE-2017-18233)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for exempi is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

Exempi provides a library for easy parsing of XMP metadata. It is a port of Adobe XMP SDK to work on UNIX and to be build with GNU automake. It includes XMPCore and XMPFiles.

Security Fix(es) :

* exempi: Infinite Loop in Chunk class in XMPFiles/source/FormatSupport/ RIFF.cpp (CVE-2017-18233)

* exempi: Use after free via a PDF file containing JPEG data (CVE-2017-18234)

* exempi: Infinite loop in ASF_Support::ReadHeaderObject function in XMPFiles /source/FormatSupport/ASF_Support.cpp (CVE-2017-18236)

* exempi: Infinite loop in TradQT_Manager::ParseCachedBoxes function in XMPFiles/source/FormatSupport/QuickTime_Support.cpp (CVE-2017-18238)

* exempi: Heap-based buffer overflow in PSD_MetaHandler::CacheFileData function in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp allows for denial of service via crafted XLS file (CVE-2018-7730)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - exempi: Infinite Loop in Chunk class in     XMPFiles/source/FormatSupport/RIFF.cpp (CVE-2017-18233)

  - exempi: Use after free via a PDF file containing JPEG     data (CVE-2017-18234)

  - exempi: Infinite loop in ASF_Support::ReadHeaderObject     function in     XMPFiles/source/FormatSupport/ASF_Support.cpp     (CVE-2017-18236)

  - exempi: Infinite loop in     TradQT_Manager::ParseCachedBoxes function in     XMPFiles/source/FormatSupport/QuickTime_Support.cpp     (CVE-2017-18238)

  - exempi: Heap-based buffer overflow in     PSD_MetaHandler::CacheFileData function in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp allows     for denial of service via crafted XLS file     (CVE-2018-7730)

Version **2.4.5** fixes the following security issues :

  - **CVE-2018-7728**

  - **CVE-2018-7729**

  - **CVE-2018-7730**

  - **CVE-2018-7731**

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for exempi fixes the following security issues :

CVE-2017-18233: Prevent integer overflow in the Chunk class that allowed remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .avi file (bsc#1085584).

CVE-2017-18238: The TradQT_Manager::ParseCachedBoxes function allowed remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .qt file (bsc#1085583).

CVE-2018-7728: Fixed heap-based buffer overflow, which allowed denial of service via crafted TIFF image (bsc#1085297).

CVE-2018-7730: Fixed heap-based buffer overflow in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp (bsc#1085295).

CVE-2017-18236: The ASF_Support::ReadHeaderObject function allowed remote attackers to cause a denial of service (infinite loop) via a crafted .asf file (bsc#1085589).

CVE-2017-18234: Prevent use-after-free that allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a .pdf file containing JPEG data (bsc#1085585).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for exempi fixes the following issues: Security issue fixed :

  - CVE-2018-7730: Fix heap-based buffer overflow in     XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp     (bsc#1085295).

  - CVE-2017-18234: Fix use-after-free issue that allows     remote attackers to cause a denial of service via a .pdf     file (bsc#1085585).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Exempi incorrectly handled certain media files.
If a user or automated system were tricked into opening a specially crafted file, a remote attacker could cause Exempi to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Version **2.4.5** fixes the following security issues :

  - **CVE-2018-7728**

  - **CVE-2018-7729**

  - **CVE-2018-7730**

  - **CVE-2018-7731**

Version **2.4.4** fixes the following security issues :

  - **CVE-2017-18233**

  - **CVE-2017-18236**

Version **2.4.3** fixes the following security issues :

  - **CVE-2017-18234**

  - **CVE-2017-18235**

  - **CVE-2017-18237**

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various issues were discovered in exempi, a library to parse XMP metadata that may cause a denial of service or may have other unspecified impact via crafted files.

CVE-2017-18233 An Integer overflow in the Chunk class in RIFF.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in an .avi file.

CVE-2017-18234 An issue was discovered that allows remote attackers to cause a denial of service (invalid memcpy with resultant use-after-free) or possibly have unspecified other impact via a .pdf file containing JPEG data.

CVE-2017-18236 The ASF_Support::ReadHeaderObject function in ASF_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted .asf file.

CVE-2017-18238 The TradQT_Manager::ParseCachedBoxes function in QuickTime_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .qt file.

CVE-2018-7728 TIFF_Handler.cpp mishandles a case of a zero length, leading to a heap-based buffer over-read in the MD5Update() function in MD5.cpp.

CVE-2018-7730 A certain case of a 0xffffffff length is mishandled in PSIR_FileWriter.cpp, leading to a heap-based buffer over-read in the PSD_MetaHandler::CacheFileData() function.

For Debian 7 'Wheezy', these problems have been fixed in version 2.2.0-1+deb7u1.

We recommend that you upgrade your exempi packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for exempi fixes the following issues :

  - CVE-2018-7728: Specially crafted TIFF images could have     been used to cause a denial of service via a heap-based     buffer overflow (boo#1085297) 

  - CVE-2018-7730: Specially crafted Excel files could have     been used cause a denial of service via a heap-based     buffer overflow (boo#1085295)

ID	Name	Product	Family	Severity
141906	Fedora 33 : python-msldap (2020-e22e9a655d)	Nessus	Fedora Local Security Checks	medium
132444	NewStart CGSL CORE 5.05 / MAIN 5.05 : exempi Multiple Vulnerabilities (NS-SA-2019-0228)	Nessus	NewStart CGSL Local Security Checks	medium
132292	EulerOS 2.0 SP3 : exempi (EulerOS-SA-2019-2575)	Nessus	Huawei Local Security Checks	medium
131865	EulerOS 2.0 SP2 : exempi (EulerOS-SA-2019-2373)	Nessus	Huawei Local Security Checks	medium
131798	EulerOS 2.0 SP5 : exempi (EulerOS-SA-2019-2524)	Nessus	Huawei Local Security Checks	medium
130218	Amazon Linux 2 : exempi (ALAS-2019-1321)	Nessus	Amazon Linux Local Security Checks	medium
129906	NewStart CGSL CORE 5.04 / MAIN 5.04 : exempi Multiple Vulnerabilities (NS-SA-2019-0186)	Nessus	NewStart CGSL Local Security Checks	medium
128339	CentOS 7 : exempi (CESA-2019:2048)	Nessus	CentOS Local Security Checks	medium
128215	Scientific Linux Security Update : exempi on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	medium
127658	RHEL 7 : exempi (RHSA-2019:2048)	Nessus	Red Hat Local Security Checks	medium
120271	Fedora 28 : exempi (2018-1c9f6768cf)	Nessus	Fedora Local Security Checks	medium
118390	SUSE SLED12 / SLES12 Security Update : exempi (SUSE-SU-2018:3389-1)	Nessus	SuSE Local Security Checks	medium
111370	SUSE SLES11 Security Update : exempi (SUSE-SU-2018:2067-1)	Nessus	SuSE Local Security Checks	medium
110321	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : exempi vulnerabilities (USN-3668-1)	Nessus	Ubuntu Local Security Checks	medium
108839	Fedora 27 : exempi (2018-c442aad4dc)	Nessus	Fedora Local Security Checks	medium
108522	Debian DLA-1310-1 : exempi security update	Nessus	Debian Local Security Checks	medium
108446	openSUSE Security Update : exempi (openSUSE-2018-282)	Nessus	SuSE Local Security Checks	medium

CVE-2018-7730

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins