Debian DLA-2750-1 : exiv2 - LTS security update

high Nessus Plugin ID 152899

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2750 advisory.

- In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2019-20421)

- Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. (CVE-2021-29457)

- Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. Please see our security policy for information about Exiv2 security. (CVE-2021-29473)

- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29457. Reason: This candidate is a duplicate of CVE-2021-29457. Notes: All CVE users should reference CVE-2021-29457 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-31291)

- An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata. (CVE-2021-31292)

- A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data. (CVE-2021-3482)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the exiv2 packages.

For Debian 9 stretch, these problems have been fixed in version 0.25-3.1+deb9u3.

See Also

https://security-tracker.debian.org/tracker/source-package/exiv2

https://packages.debian.org/source/stretch/exiv2

https://security-tracker.debian.org/tracker/CVE-2019-20421

https://security-tracker.debian.org/tracker/CVE-2021-29457

https://security-tracker.debian.org/tracker/CVE-2021-29473

https://security-tracker.debian.org/tracker/CVE-2021-31292

https://security-tracker.debian.org/tracker/CVE-2021-3482

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950183

https://www.debian.org/lts/security/2021/dla-2750

https://security-tracker.debian.org/tracker/CVE-2021-31291

Plugin Details

Severity: High

ID: 152899

File Name: debian_DLA-2750.nasl

Version: 1.2

Type: local

Agent: unix

Published: 8/30/2021

Updated: 8/30/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2021-31291

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:exiv2:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:libexiv2-dbg:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:libexiv2-dev:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:libexiv2-doc:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:libexiv2-14:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/30/2021

Vulnerability Publication Date: 1/27/2020

Reference Information

CVE: CVE-2019-20421, CVE-2021-3482, CVE-2021-29457, CVE-2021-29473, CVE-2021-31291, CVE-2021-31292