Red Hat Product Errata RHSA-2021:4173 - Security Advisory

Issued:: 2021-11-09
Updated:: 2021-11-09

RHSA-2021:4173 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: exiv2 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for exiv2 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Exiv2 is a C++ library to access image metadata, supporting read and write access to the Exif, IPTC and XMP metadata, Exif MakerNote support, extract and delete methods for Exif thumbnails, classes to access Ifd, and support for various image formats.

The following packages have been upgraded to a later upstream version: exiv2 (0.27.4). (BZ#1989860)

Security Fix(es):

exiv2: Heap-based buffer overflow in Jp2Image::readMetadata() (CVE-2021-3482)
exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata (CVE-2021-29457)
exiv2: Out-of-bounds read in Exiv2::Internal::CrwMap::encode (CVE-2021-29458)
exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-29464)
exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-29470)
exiv2: Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata (CVE-2021-29473)
exiv2: Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS (CVE-2021-31292)
exiv2: Out-of-bounds read in Exiv2::WebPImage::doWriteMetadata (CVE-2021-29463)
exiv2: Use of uninitialized memory in isWebPType() may lead to information leak (CVE-2021-29623)
exiv2: DoS due to quadratic complexity in ProcessUTF8Portion (CVE-2021-32617)
exiv2: Out-of-bounds read in Exiv2::Jp2Image::printStructure (CVE-2021-37618)
exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-37619)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 8 x86_64
Red Hat Enterprise Linux for IBM z Systems 8 s390x
Red Hat Enterprise Linux for Power, little endian 8 ppc64le
Red Hat Enterprise Linux for ARM 64 8 aarch64
Red Hat CodeReady Linux Builder for x86_64 8 x86_64
Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x

Fixes

BZ - 1946314 - CVE-2021-3482 exiv2: Heap-based buffer overflow in Jp2Image::readMetadata()
BZ - 1952607 - CVE-2021-29458 exiv2: Out-of-bounds read in Exiv2::Internal::CrwMap::encode
BZ - 1952612 - CVE-2021-29457 exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
BZ - 1953708 - CVE-2021-29470 exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
BZ - 1954065 - CVE-2021-29473 exiv2: Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata
BZ - 1961650 - CVE-2021-29623 exiv2: Use of uninitialized memory in isWebPType() may lead to information leak
BZ - 1961691 - CVE-2021-32617 exiv2: DoS due to quadratic complexity in ProcessUTF8Portion
BZ - 1978100 - CVE-2021-29463 exiv2: Out-of-bounds read in Exiv2::WebPImage::doWriteMetadata
BZ - 1978105 - CVE-2021-29464 exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::encodeJp2Header
BZ - 1989860 - Rebase Exiv2 to 0.27.4
BZ - 1990330 - CVE-2021-31292 exiv2: Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS
BZ - 1992165 - CVE-2021-37618 exiv2: Out-of-bounds read in Exiv2::Jp2Image::printStructure
BZ - 1992174 - CVE-2021-37619 exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 8

SRPM
exiv2-0.27.4-5.el8.src.rpm	SHA-256: 57624ee8956e429a261f78a25f9dbb8d2d57a7168837379dc0d10176daca9f94
x86_64
exiv2-0.27.4-5.el8.x86_64.rpm	SHA-256: bf7423cd7a32cde80acff14c1d742542dc7c799294b9ee693c488ac71a418e04
exiv2-debuginfo-0.27.4-5.el8.i686.rpm	SHA-256: 8cc3de0ae4c9c25ba8b4887e090f71f866e2ea779d0ca533efee5440d0d00b34
exiv2-debuginfo-0.27.4-5.el8.x86_64.rpm	SHA-256: f463c406b40e00a8d8102538787ef03f3c791368d5cb53bf0facbfcae83d3e29
exiv2-debugsource-0.27.4-5.el8.i686.rpm	SHA-256: 75b4dc4b8ef59f44a53799347a6b1918f156b1fcc5f8ef9a728c09910d0d42aa
exiv2-debugsource-0.27.4-5.el8.x86_64.rpm	SHA-256: f238118361be4fb680691cdc5fb00fa02cb8d6f75cbe32601263ef7a3d84dd14
exiv2-libs-0.27.4-5.el8.i686.rpm	SHA-256: 0dce21f8d5b417806cbd26846be89535b631a7dca4c574563bfb95f5b4b3a796
exiv2-libs-0.27.4-5.el8.x86_64.rpm	SHA-256: e0cf12538c13a5a479bdf1a8e18155f014d7312d11171dfec16848cef4937395
exiv2-libs-debuginfo-0.27.4-5.el8.i686.rpm	SHA-256: 2b7df497d84a63f4f142782ab5c98557901b8ff5fcc1dcc2b90e22e89dee4ec5
exiv2-libs-debuginfo-0.27.4-5.el8.x86_64.rpm	SHA-256: 1d8cdd9737e9fb952750e9260a7cd19a6877e7b808a429a42e8a9e68246a3cd3

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
exiv2-0.27.4-5.el8.src.rpm	SHA-256: 57624ee8956e429a261f78a25f9dbb8d2d57a7168837379dc0d10176daca9f94
s390x
exiv2-0.27.4-5.el8.s390x.rpm	SHA-256: 4e3c62f8f4556e656163be193daa69483cc6f301b10ff4863ee59a29922ed474
exiv2-debuginfo-0.27.4-5.el8.s390x.rpm	SHA-256: 458000130b14e5214a7fe1772e21e0827a21c32d3f4eb98ba4caf26997db8faf
exiv2-debugsource-0.27.4-5.el8.s390x.rpm	SHA-256: 636738e33b56433a72fcee9222a4dc513aab7e04d05e2b9a563ca148a5933a7f
exiv2-libs-0.27.4-5.el8.s390x.rpm	SHA-256: 197b236d55b004e3c080da5bd77d4cda646e4309b6b94a21c70684f729d73a86
exiv2-libs-debuginfo-0.27.4-5.el8.s390x.rpm	SHA-256: 61bfd0a07ab6347fa6a02a25567ace1cd393e8e570c900c9b9b2dd66c423a587

Red Hat Enterprise Linux for Power, little endian 8

SRPM
exiv2-0.27.4-5.el8.src.rpm	SHA-256: 57624ee8956e429a261f78a25f9dbb8d2d57a7168837379dc0d10176daca9f94
ppc64le
exiv2-0.27.4-5.el8.ppc64le.rpm	SHA-256: 3982d0f4df39d6c7527341a7ea84460341e7ce29ac3d86325cfa745c14e158b5
exiv2-debuginfo-0.27.4-5.el8.ppc64le.rpm	SHA-256: c2db7fba68f3cc26a02d6ed3c2ccd57951ed456434eee54cdf28ef726218b864
exiv2-debugsource-0.27.4-5.el8.ppc64le.rpm	SHA-256: c2b3c51a241ab310cfbd6d322648390c18b261146b6bc92326584617feb7c847
exiv2-libs-0.27.4-5.el8.ppc64le.rpm	SHA-256: 01a0980fd38f9d7fa8174d0af775600d951a1c146e72447bdb83de59be5fc943
exiv2-libs-debuginfo-0.27.4-5.el8.ppc64le.rpm	SHA-256: 1bee81c05f198f40e5c5c20527732b504a5b5bc831470d090e0da2c005cb29a3

Red Hat Enterprise Linux for ARM 64 8

SRPM
exiv2-0.27.4-5.el8.src.rpm	SHA-256: 57624ee8956e429a261f78a25f9dbb8d2d57a7168837379dc0d10176daca9f94
aarch64
exiv2-0.27.4-5.el8.aarch64.rpm	SHA-256: 5b4dfc8e143ef20336284ea8d80dc6d87d4f1d5a561d6f0359dd0204f8f6d5ad
exiv2-debuginfo-0.27.4-5.el8.aarch64.rpm	SHA-256: 778bc3fe44b068c062c7f3e108f71219398caaee2346f7d0aac6f3b73144c758
exiv2-debugsource-0.27.4-5.el8.aarch64.rpm	SHA-256: 9516af8ae383b3f1758f9aa2b575bb6dece595d48847643e76688fd2d292f9b9
exiv2-libs-0.27.4-5.el8.aarch64.rpm	SHA-256: 49f956e2cfc98435938e366d69222b82c5ec44ac6b9433a1e2c23032d3b74865
exiv2-libs-debuginfo-0.27.4-5.el8.aarch64.rpm	SHA-256: 4232af0e9bd38ce9f69b3ee601b595dfb5e10d7fb21d68b36a5b75e235d9f7f8

Red Hat CodeReady Linux Builder for x86_64 8

SRPM
x86_64
exiv2-debuginfo-0.27.4-5.el8.i686.rpm	SHA-256: 8cc3de0ae4c9c25ba8b4887e090f71f866e2ea779d0ca533efee5440d0d00b34
exiv2-debuginfo-0.27.4-5.el8.x86_64.rpm	SHA-256: f463c406b40e00a8d8102538787ef03f3c791368d5cb53bf0facbfcae83d3e29
exiv2-debugsource-0.27.4-5.el8.i686.rpm	SHA-256: 75b4dc4b8ef59f44a53799347a6b1918f156b1fcc5f8ef9a728c09910d0d42aa
exiv2-debugsource-0.27.4-5.el8.x86_64.rpm	SHA-256: f238118361be4fb680691cdc5fb00fa02cb8d6f75cbe32601263ef7a3d84dd14
exiv2-devel-0.27.4-5.el8.i686.rpm	SHA-256: 641123bbf419438436ed99dc31191a851324781c15e9732005f2402dfeae7887
exiv2-devel-0.27.4-5.el8.x86_64.rpm	SHA-256: 84f354eae6d784f8972f8b7597d25818ccd863f0312cae5e6bf0eed322d27e13
exiv2-doc-0.27.4-5.el8.noarch.rpm	SHA-256: 5180fa31ecc6f39b645209fb22d88f5449db280e9c285890f0233e9347bc6248
exiv2-libs-debuginfo-0.27.4-5.el8.i686.rpm	SHA-256: 2b7df497d84a63f4f142782ab5c98557901b8ff5fcc1dcc2b90e22e89dee4ec5
exiv2-libs-debuginfo-0.27.4-5.el8.x86_64.rpm	SHA-256: 1d8cdd9737e9fb952750e9260a7cd19a6877e7b808a429a42e8a9e68246a3cd3

Red Hat CodeReady Linux Builder for Power, little endian 8

SRPM
ppc64le
exiv2-debuginfo-0.27.4-5.el8.ppc64le.rpm	SHA-256: c2db7fba68f3cc26a02d6ed3c2ccd57951ed456434eee54cdf28ef726218b864
exiv2-debugsource-0.27.4-5.el8.ppc64le.rpm	SHA-256: c2b3c51a241ab310cfbd6d322648390c18b261146b6bc92326584617feb7c847
exiv2-devel-0.27.4-5.el8.ppc64le.rpm	SHA-256: 212ed5feec19101340011d9d2bd6bbd5e2ab13f18c975818e7ee68ee89e18f93
exiv2-doc-0.27.4-5.el8.noarch.rpm	SHA-256: 5180fa31ecc6f39b645209fb22d88f5449db280e9c285890f0233e9347bc6248
exiv2-libs-debuginfo-0.27.4-5.el8.ppc64le.rpm	SHA-256: 1bee81c05f198f40e5c5c20527732b504a5b5bc831470d090e0da2c005cb29a3

Red Hat CodeReady Linux Builder for ARM 64 8

SRPM
aarch64
exiv2-debuginfo-0.27.4-5.el8.aarch64.rpm	SHA-256: 778bc3fe44b068c062c7f3e108f71219398caaee2346f7d0aac6f3b73144c758
exiv2-debugsource-0.27.4-5.el8.aarch64.rpm	SHA-256: 9516af8ae383b3f1758f9aa2b575bb6dece595d48847643e76688fd2d292f9b9
exiv2-devel-0.27.4-5.el8.aarch64.rpm	SHA-256: bd560a2a0733cb0b77ea64e870395f45b1e6981fad147ab4949c3fe1eb8100b4
exiv2-doc-0.27.4-5.el8.noarch.rpm	SHA-256: 5180fa31ecc6f39b645209fb22d88f5449db280e9c285890f0233e9347bc6248
exiv2-libs-debuginfo-0.27.4-5.el8.aarch64.rpm	SHA-256: 4232af0e9bd38ce9f69b3ee601b595dfb5e10d7fb21d68b36a5b75e235d9f7f8

Red Hat CodeReady Linux Builder for IBM z Systems 8

SRPM
s390x
exiv2-debuginfo-0.27.4-5.el8.s390x.rpm	SHA-256: 458000130b14e5214a7fe1772e21e0827a21c32d3f4eb98ba4caf26997db8faf
exiv2-debugsource-0.27.4-5.el8.s390x.rpm	SHA-256: 636738e33b56433a72fcee9222a4dc513aab7e04d05e2b9a563ca148a5933a7f
exiv2-devel-0.27.4-5.el8.s390x.rpm	SHA-256: c92e1006cbad5353b7c728ee6881a45e18da68aebe3451ddbff5a946803e99bb
exiv2-doc-0.27.4-5.el8.noarch.rpm	SHA-256: 5180fa31ecc6f39b645209fb22d88f5449db280e9c285890f0233e9347bc6248
exiv2-libs-debuginfo-0.27.4-5.el8.s390x.rpm	SHA-256: 61bfd0a07ab6347fa6a02a25567ace1cd393e8e570c900c9b9b2dd66c423a587

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation