Debian dla-3265 : exiv2 - security update

high Nessus Plugin ID 169913

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3265 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-3265-1 [email protected] https://www.debian.org/lts/security/ Helmut Grohne January 10, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : exiv2 Version : 0.25-4+deb10u4 CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864 CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504 CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771 CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622 Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135 932467 946341 987277 992705 992706

This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2.

CVE-2017-11591

There is a Floating point exception in the Exiv2::ValueType function that will lead to a remote denial of service attack via crafted input.

CVE-2017-14859

An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

CVE-2017-14862

An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

CVE-2017-14864

An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.

CVE-2017-17669

There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file will lead to a remote denial of service attack.

CVE-2017-18005

Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

CVE-2018-8976

jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.

CVE-2018-17581

CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack consumption due to a recursive function, leading to Denial of service.

CVE-2018-19107

Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.

CVE-2018-19108

Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.

CVE-2018-19535

PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.

CVE-2018-20097

There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp. A crafted input will lead to a remote denial of service attack.

CVE-2019-13110

A CiffDirectory::readDirectory integer overflow and out-of-bounds read allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.

CVE-2019-13112

A PngChunk::parseChunkContent uncontrolled memory allocation allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.

CVE-2019-13114

http.c allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.

CVE-2019-13504

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp.

CVE-2019-14369

Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a denial of service (heap-based buffer over- read) via a crafted image file.

CVE-2019-14370

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service.

CVE-2019-17402

Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

CVE-2020-18771

Exiv2 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak.

CVE-2021-29458

An out-of-bounds read was found in Exiv2. The out-of- bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert.

CVE-2021-32815

The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`.

CVE-2021-34334

An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file.

CVE-2021-37620

An out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file.

CVE-2021-37621

An infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`).

CVE-2021-37622

An infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`).

For Debian 10 buster, these problems have been fixed in version 0.25-4+deb10u4.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the exiv2 packages.

Plugin Details

Severity: High

ID: 169913

File Name: debian_DLA-3265.nasl

Version: 1.2

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 1/11/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2020-18771

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libexiv2-doc, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:exiv2, p-cpe:/a:debian:debian_linux:libexiv2-dev, p-cpe:/a:debian:debian_linux:libexiv2-14

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/11/2023

Vulnerability Publication Date: 7/24/2017

Reference Information

CVE: CVE-2017-11591, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-18005, CVE-2018-17581, CVE-2018-19107, CVE-2018-19108, CVE-2018-19535, CVE-2018-20097, CVE-2018-8976, CVE-2019-13110, CVE-2019-13112, CVE-2019-13114, CVE-2019-13504, CVE-2019-14369, CVE-2019-14370, CVE-2019-17402, CVE-2020-18771, CVE-2021-29458, CVE-2021-32815, CVE-2021-34334, CVE-2021-37620, CVE-2021-37621, CVE-2021-37622

Detections

Analytics