Detections
Analytics

Debian dla-3585 : exempi - security update

high Nessus Plugin ID 181857

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3585 advisory.

 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3585-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris September 25, 2023 https://wiki.debian.org/LTS
 - -------------------------------------------------------------------------

 Package : exempi Version : 2.5.0-2+deb10u1 CVE ID : CVE-2020-18651 CVE-2020-18652 CVE-2021-36045 CVE-2021-36046 CVE-2021-36047 CVE-2021-36048 CVE-2021-36050 CVE-2021-36051 CVE-2021-36052 CVE-2021-36053 CVE-2021-36054 CVE-2021-36055 CVE-2021-36056 CVE-2021-36057 CVE-2021-36058 CVE-2021-36064 CVE-2021-39847 CVE-2021-40716 CVE-2021-40732 CVE-2021-42528 CVE-2021-42529 CVE-2021-42530 CVE-2021-42531 CVE-2021-42532

 Multiple vulneratibilities were found in exempi, an implementation of XMP (Extensible Metadata Platform).

 CVE-2020-18651

 A Buffer Overflow vulnerability was found in function ID3_Support::ID3v2Frame::getFrameValue allows remote attackers to cause a denial of service.

 CVE-2020-18652

 A Buffer Overflow vulnerability was found in WEBP_Support.cpp allows remote attackers to cause a denial of service.

 CVE-2021-36045

 An out-of-bounds read vulnerability was found that could lead to disclosure of arbitrary memory.

 CVE-2021-36046

 A memory corruption vulnerability was found, potentially resulting in arbitrary code execution in the context of the current use

 CVE-2021-36047

 An Improper Input Validation vulnerability was found, potentially resulting in arbitrary code execution in the context of the current use.

 CVE-2021-36048

 An Improper Input Validation was found, potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-36050

 A buffer overflow vulnerability was found, potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-36051

 A buffer overflow vulnerability was found, potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-36052

 A memory corruption vulnerability was found, potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-36053

 An out-of-bounds read vulnerability was found, that could lead to disclosure of arbitrary memory.

 CVE-2021-36054

 A buffer overflow vulnerability was found potentially resulting in local application denial of service.

 CVE-2021-36055

 A use-after-free vulnerability was found that could result in arbitrary code execution.

 CVE-2021-36056

 A buffer overflow vulnerability was found, potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-36057

 A write-what-where condition vulnerability was found, caused during the application's memory allocation process.
 This may cause the memory management functions to become mismatched resulting in local application denial of service in the context of the current user.

 CVE-2021-36058

 An Integer Overflow vulnerability was found, potentially resulting in application-level denial of service in the context of the current user.

 CVE-2021-36064

 A Buffer Underflow vulnerability was found which could result in arbitrary code execution in the context of the current user

 CVE-2021-39847

 A stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-40716

 An out-of-bounds read vulnerability was found that could lead to disclosure of sensitive memory

 CVE-2021-40732

 A null pointer dereference vulnerability was found, that could result in leaking data from certain memory locations and causing a local denial of service

 CVE-2021-42528

 A Null pointer dereference vulnerability was found when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user.

 CVE-2021-42529

 A stack-based buffer overflow vulnerability was found potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-42530

 A stack-based buffer overflow vulnerability was found potentially resulting in arbitrary code execution in the context of the current user.

 CVE-2021-42531

 A stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user

 CVE-2021-42532

 A stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user.

 For Debian 10 buster, these problems have been fixed in version 2.5.0-2+deb10u1.

 We recommend that you upgrade your exempi packages.

 For the detailed security status of exempi please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/exempi

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the exempi packages.

See Also

https://security-tracker.debian.org/tracker/source-package/exempi

https://security-tracker.debian.org/tracker/CVE-2020-18651

https://security-tracker.debian.org/tracker/CVE-2020-18652

https://security-tracker.debian.org/tracker/CVE-2021-36045

https://security-tracker.debian.org/tracker/CVE-2021-36046

https://security-tracker.debian.org/tracker/CVE-2021-36047

https://security-tracker.debian.org/tracker/CVE-2021-36048

https://security-tracker.debian.org/tracker/CVE-2021-36050

https://security-tracker.debian.org/tracker/CVE-2021-36051

https://security-tracker.debian.org/tracker/CVE-2021-36052

https://security-tracker.debian.org/tracker/CVE-2021-36053

https://security-tracker.debian.org/tracker/CVE-2021-36054

https://security-tracker.debian.org/tracker/CVE-2021-36055

https://security-tracker.debian.org/tracker/CVE-2021-36056

https://security-tracker.debian.org/tracker/CVE-2021-36057

https://security-tracker.debian.org/tracker/CVE-2021-36058

https://security-tracker.debian.org/tracker/CVE-2021-36064

https://security-tracker.debian.org/tracker/CVE-2021-39847

https://security-tracker.debian.org/tracker/CVE-2021-40716

https://security-tracker.debian.org/tracker/CVE-2021-40732

https://security-tracker.debian.org/tracker/CVE-2021-42528

https://security-tracker.debian.org/tracker/CVE-2021-42529

https://security-tracker.debian.org/tracker/CVE-2021-42530

https://security-tracker.debian.org/tracker/CVE-2021-42531

https://security-tracker.debian.org/tracker/CVE-2021-42532

https://packages.debian.org/source/buster/exempi

Plugin Details

Severity: High

ID: 181857

File Name: debian_DLA-3585.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/26/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-42532

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:exempi, p-cpe:/a:debian:debian_linux:libexempi8, p-cpe:/a:debian:debian_linux:libexempi-dev

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/25/2023

Vulnerability Publication Date: 9/1/2021

Reference Information

CVE: CVE-2020-18651, CVE-2020-18652, CVE-2021-36045, CVE-2021-36046, CVE-2021-36047, CVE-2021-36048, CVE-2021-36050, CVE-2021-36051, CVE-2021-36052, CVE-2021-36053, CVE-2021-36054, CVE-2021-36055, CVE-2021-36056, CVE-2021-36057, CVE-2021-36058, CVE-2021-36064, CVE-2021-39847, CVE-2021-40716, CVE-2021-40732, CVE-2021-42528, CVE-2021-42529, CVE-2021-42530, CVE-2021-42531, CVE-2021-42532