RHSA-2019:2101 - Security Advisory

Topic

An update for exiv2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments.

The following packages have been upgraded to a later upstream version: exiv2 (0.27.0). (BZ#1652637)

Security Fix(es):

• exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp (CVE-2017-17724)
• exiv2: out-of-bounds read in Exiv2::Internal::stringFormat image.cpp (CVE-2018-8976)
• exiv2: invalid memory access in Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp (CVE-2018-8977)
• exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9305)
• exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file (CVE-2018-10772)
• exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() (CVE-2018-10958)
• exiv2: SIGABRT by triggering an incorrect Safe::add call (CVE-2018-10998)
• exiv2: information leak via a crafted file (CVE-2018-11037)
• exiv2: integer overflow in getData function in preview.cpp (CVE-2018-12264)
• exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp (CVE-2018-12265)
• exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp (CVE-2018-14046)
• exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash (CVE-2018-17282)
• exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service (CVE-2018-17581)
• exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp (CVE-2018-18915)
• exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp (CVE-2018-19107)
• exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp (CVE-2018-19108)
• exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp (CVE-2018-19535)
• exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp (CVE-2018-19607)
• exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service (CVE-2018-20096)
• exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function (CVE-2018-20097)
• exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20098)
• exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20099)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1465061 - There is an invalid free in Image::printIFDStructure that leads to a Segmentation fault at exiv2. A crafted input will lead to remote denial of service attack.
• BZ - 1470729 - There is a heap overflow in the software exiv2.
• BZ - 1470737 - There is an invalid free in Action::TaskFactory::cleanup funtion of actions.cpp in exiv2. A crafted input will lead to remote denial of service attack.
• BZ - 1470913 - There is an infinite loop in Exiv2::Image::printIFDStructure funtion of image.cpp in exiv2. A crafted input will lead to remote denial of service attack.
• BZ - 1470946 - There is a heap-buffer-overflow in image.cpp of exiv2.
• BZ - 1470950 - There is a Segmentation fault in the software exiv2 while the function Exiv2::XmpParser::terminate() is finished.
• BZ - 1471772 - There is an illegal address access in basicio.cpp of exiv2.
• BZ - 1473888 - There is a Floating point exception in Exiv2::ValueType of exiv2.
• BZ - 1473889 - There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2.
• BZ - 1475123 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
• BZ - 1475124 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
• BZ - 1482295 - There is a heap-buffer-overflow in basicio.cpp of exiv2.
• BZ - 1482296 - There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2
• BZ - 1482423 - There is a heap-buffer-overflow in the software exiv2 which is triggered in Exiv2::Image::io function.
• BZ - 1494443 - Null pointer dereference vulnerability in Exiv2::Image::printIFDStructure (image.cpp:408)
• BZ - 1494467 - Invalid memory address dereference in Exiv2::getULong(types.cpp:246)
• BZ - 1494776 - It is a heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (jp2image.cpp:277)
• BZ - 1494778 - It is a heap-buffer-overflow in Exiv2::us2Data (types.cpp:346)
• BZ - 1494780 - Invalid memory address dereference in Exiv2::StringValueBase::read ( in value.cpp:302)
• BZ - 1494781 - It is a heap-buffer-overflow in Exiv2::s2Data (types.cpp:383)
• BZ - 1494782 - It is a heap-buffer-overflow in Exiv2::l2Data (types.cpp:398)
• BZ - 1494786 - Invalid memory address dereference in Exiv2::DataValue::read (value.cpp:193)
• BZ - 1494787 - it is a stack-overflow vulnerability in Exiv2::Internal::stringFormat[abi:cxx11] ( in image.cpp:975 )
• BZ - 1495043 - bad free in Exiv2::Image::~Image (image.cpp:173)
• BZ - 1524104 - exiv2 library: heap-based buffer over-read in Exiv2::Image::byteSwap4 (image.cpp)
• BZ - 1524107 - exiv2 library: heap-based buffer over-read in Exiv2::IptcData::printStructure (iptc.cpp)
• BZ - 1524116 - exiv2 library: assertion aborted in Exiv2::(anonymous namespace)::readHeader (bigtiffimage.cpp)
• BZ - 1525055 - exiv2 library: heap-buffer-overflow in Exiv2::getULong (types.cpp)
• BZ - 1537353 - Exiv2: integer overflow in floatToRationalCast function (src/types.cpp)
• BZ - 1545237 - CVE-2017-17724 exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp
• BZ - 1561213 - CVE-2018-8976 exiv2: out-of-bounds read in Exiv2::Internal::stringFormat image.cpp
• BZ - 1561217 - CVE-2018-8977 exiv2: invalid memory access in Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp
• BZ - 1566260 - There is a Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished
• BZ - 1566735 - CVE-2018-9305 exiv2: out of bounds read in IptcData::printStructure in iptc.c
• BZ - 1578659 - CVE-2018-10958 exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress()
• BZ - 1579481 - CVE-2018-10998 exiv2: SIGABRT by triggering an incorrect Safe::add call
• BZ - 1579544 - CVE-2018-11037 exiv2: information leak via a crafted file
• BZ - 1590993 - CVE-2018-12264 exiv2: integer overflow in getData function in preview.cpp
• BZ - 1590994 - CVE-2018-12265 exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp
• BZ - 1594627 - CVE-2018-10772 exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file
• BZ - 1601628 - CVE-2018-14046 exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp
• BZ - 1632490 - CVE-2018-17282 exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash
• BZ - 1635045 - CVE-2018-17581 exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service
• BZ - 1646555 - CVE-2018-18915 exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp
• BZ - 1649094 - CVE-2018-19107 exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp
• BZ - 1649101 - CVE-2018-19108 exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp
• BZ - 1652637 - Rebase exiv2 to 0.27
• BZ - 1656187 - CVE-2018-19535 exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp
• BZ - 1656195 - CVE-2018-19607 exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp
• BZ - 1660423 - CVE-2018-20096 exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service
• BZ - 1660424 - CVE-2018-20097 exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function
• BZ - 1660425 - CVE-2018-20098 exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service
• BZ - 1660426 - CVE-2018-20099 exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service
• BZ - 1664361 - Gwenview + Exiv2 crash in Pentax camera files

CVEs

• CVE-2017-17724
• CVE-2018-4868
• CVE-2018-8976
• CVE-2018-8977
• CVE-2018-9305
• CVE-2018-10772
• CVE-2018-10958
• CVE-2018-10998
• CVE-2018-10999
• CVE-2018-11037
• CVE-2018-12264
• CVE-2018-12265
• CVE-2018-14046
• CVE-2018-17282
• CVE-2018-17581
• CVE-2018-18915
• CVE-2018-19107
• CVE-2018-19108
• CVE-2018-19535
• CVE-2018-19607
• CVE-2018-20096
• CVE-2018-20097
• CVE-2018-20098
• CVE-2018-20099
• CVE-2019-9143

References

• https://access.redhat.com/security/updates/classification/#low
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index