- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3585-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
September 25, 2023                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : exempi
Version        : 2.5.0-2+deb10u1
CVE ID         : CVE-2020-18651 CVE-2020-18652 CVE-2021-36045 CVE-2021-36046 
                 CVE-2021-36047 CVE-2021-36048 CVE-2021-36050 CVE-2021-36051 
                 CVE-2021-36052 CVE-2021-36053 CVE-2021-36054 CVE-2021-36055 
                 CVE-2021-36056 CVE-2021-36057 CVE-2021-36058 CVE-2021-36064 
                 CVE-2021-39847 CVE-2021-40716 CVE-2021-40732 CVE-2021-42528
		 CVE-2021-42529 CVE-2021-42530 CVE-2021-42531 CVE-2021-42532

Multiple vulneratibilities were found in exempi, an implementation of XMP
(Extensible Metadata Platform).

CVE-2020-18651

    A Buffer Overflow vulnerability was found
    in function ID3_Support::ID3v2Frame::getFrameValue
    allows remote attackers to cause a denial of service.

CVE-2020-18652

    A Buffer Overflow vulnerability was found in
    WEBP_Support.cpp allows remote attackers to cause a
    denial of service.

CVE-2021-36045

    An out-of-bounds read vulnerability was found
    that could lead to disclosure of arbitrary memory.

CVE-2021-36046

    A memory corruption vulnerability was found,
    potentially resulting in arbitrary code execution
    in the context of the current use

CVE-2021-36047

    An Improper Input Validation vulnerability was found,
    potentially resulting in arbitrary
    code execution in the context of the current use.

CVE-2021-36048

    An Improper Input Validation was found,
    potentially resulting in arbitrary
    code execution in the context of the current user.

CVE-2021-36050

    A buffer overflow vulnerability was found,
    potentially resulting in arbitrary code execution
    in the context of the current user.

CVE-2021-36051

    A buffer overflow vulnerability was found,
    potentially resulting in arbitrary code execution
    in the context of the current user.

CVE-2021-36052

    A memory corruption vulnerability was found,
    potentially resulting in arbitrary code execution
    in the context of the current user.

CVE-2021-36053

    An out-of-bounds read vulnerability was found,
    that could lead to disclosure of arbitrary memory.

CVE-2021-36054

    A buffer overflow vulnerability was found potentially
    resulting in local application denial of service.

CVE-2021-36055

    A use-after-free vulnerability was found that could
    result in arbitrary code execution.

CVE-2021-36056

    A buffer overflow vulnerability was found, potentially
    resulting in arbitrary code execution in the context of
    the current user.

CVE-2021-36057

     A write-what-where condition vulnerability was found,
     caused during the application's memory allocation process.
     This may cause the memory management functions to become
     mismatched resulting in local application denial of service
     in the context of the current user.

CVE-2021-36058

    An Integer Overflow vulnerability was found, potentially
    resulting in application-level denial of service in the
    context of the current user.

CVE-2021-36064

    A Buffer Underflow vulnerability was found which
    could result in arbitrary code execution in the context
    of the current user

CVE-2021-39847

    A stack-based buffer overflow vulnerability
    potentially resulting in arbitrary code execution in the
    context of the current user.

CVE-2021-40716

    An out-of-bounds read vulnerability was found that
    could lead to disclosure of sensitive memory

CVE-2021-40732

    A null pointer dereference vulnerability was found,
    that could result in leaking data from certain memory
    locations and causing a local denial of service

CVE-2021-42528

    A Null pointer dereference vulnerability was found
    when parsing a specially crafted file. An unauthenticated attacker
    could leverage this vulnerability to achieve an application
    denial-of-service in the context of the current user.

CVE-2021-42529

    A stack-based buffer overflow vulnerability was found
    potentially resulting in arbitrary code execution
    in the context of the current user.

CVE-2021-42530

    A stack-based buffer overflow vulnerability was found
    potentially resulting in arbitrary code execution in the
    context of the current user.

CVE-2021-42531

    A stack-based buffer overflow vulnerability
    potentially resulting in arbitrary code execution in
    the context of the current user

CVE-2021-42532

    A stack-based buffer overflow vulnerability
    potentially resulting in arbitrary code execution in the
    context of the current user.

For Debian 10 buster, these problems have been fixed in version
2.5.0-2+deb10u1.

We recommend that you upgrade your exempi packages.

For the detailed security status of exempi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/exempi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3585-1: exempi security update

September 25, 2023
Multiple vulneratibilities were found in exempi, an implementation of XMP (Extensible Metadata Platform)

Summary

CVE-2020-18651

A Buffer Overflow vulnerability was found
in function ID3_Support::ID3v2Frame::getFrameValue
allows remote attackers to cause a denial of service.

CVE-2020-18652

A Buffer Overflow vulnerability was found in
WEBP_Support.cpp allows remote attackers to cause a
denial of service.

CVE-2021-36045

An out-of-bounds read vulnerability was found
that could lead to disclosure of arbitrary memory.

CVE-2021-36046

A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current use

CVE-2021-36047

An Improper Input Validation vulnerability was found,
potentially resulting in arbitrary
code execution in the context of the current use.

CVE-2021-36048

An Improper Input Validation was found,
potentially resulting in arbitrary
code execution in the context of the current user.

CVE-2021-36050

A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36051

A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36052

A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36053

An out-of-bounds read vulnerability was found,
that could lead to disclosure of arbitrary memory.

CVE-2021-36054

A buffer overflow vulnerability was found potentially
resulting in local application denial of service.

CVE-2021-36055

A use-after-free vulnerability was found that could
result in arbitrary code execution.

CVE-2021-36056

A buffer overflow vulnerability was found, potentially
resulting in arbitrary code execution in the context of
the current user.

CVE-2021-36057

A write-what-where condition vulnerability was found,
caused during the application's memory allocation process.
This may cause the memory management functions to become
mismatched resulting in local application denial of service
in the context of the current user.

CVE-2021-36058

An Integer Overflow vulnerability was found, potentially
resulting in application-level denial of service in the
context of the current user.

CVE-2021-36064

A Buffer Underflow vulnerability was found which
could result in arbitrary code execution in the context
of the current user

CVE-2021-39847

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.

CVE-2021-40716

An out-of-bounds read vulnerability was found that
could lead to disclosure of sensitive memory

CVE-2021-40732

A null pointer dereference vulnerability was found,
that could result in leaking data from certain memory
locations and causing a local denial of service

CVE-2021-42528

A Null pointer dereference vulnerability was found
when parsing a specially crafted file. An unauthenticated attacker
could leverage this vulnerability to achieve an application
denial-of-service in the context of the current user.

CVE-2021-42529

A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-42530

A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution in the
context of the current user.

CVE-2021-42531

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in
the context of the current user

CVE-2021-42532

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.

For Debian 10 buster, these problems have been fixed in version
2.5.0-2+deb10u1.

We recommend that you upgrade your exempi packages.

For the detailed security status of exempi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/exempi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : exempi
Version : 2.5.0-2+deb10u1
CVE ID : CVE-2020-18651 CVE-2020-18652 CVE-2021-36045 CVE-2021-36046

Related News

2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved