Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Fedora 27: 2018-fc9c5969b4 Critical: Exiv2 DoS and Buffer Issues

fedora
Calendar Grey May 19, 2018
Dist Fedora Esm H88
Urgent security patch for exiv2 on Fedora 27 tackling various buffer overflow vulnerabilities and potential denial of service threats.
Security update for CVE-2017-17723, CVE-2017-17725, CVE-2018-5772

Summary

A command line utility to access image metadata, allowing one to:

* print the Exif metadata of Jpeg images as summary info, interpreted values,

or the plain data for each tag

* print the Iptc metadata of Jpeg images

* print the Jpeg comment of Jpeg images

* set, add and delete Exif and Iptc metadata of Jpeg images

* adjust the Exif timestamp (that's how it all started...)

* rename Exif image files according to the Exif timestamp

* extract, insert and delete Exif metadata (including thumbnails),

Iptc metadata and Jpeg comments

Security update for CVE-2017-17723, CVE-2017-17725, CVE-2018-5772

* Thu May 3 2018 Germano Massullo - 0.26-10

- added patches that fix CVE-2017-17723 CVE-2017-17725 CVE-2017-5772

- moved 0006-1296-Fix-submitted.patch file from sources to package tree

* Tue Feb 20 2018 Rex Dieter - 0.26-9

- BR: gcc-c++

* Wed Feb 7 2018 Fedora Release Engineering - 0.26-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Sat Feb 3 2018 Igor Gnatenko - 0.26-7

- Switch to %ldconfig_scriptlets

[ 1 ] Bug #1545249 - CVE-2017-17723 exiv2: heap-based buffer over-read in Exiv2::Image::byteSwap4 in image.cpp

https://bugzilla.redhat.com/show_bug.cgi?id=1545249

[ 2 ] Bug #1545232 - CVE-2017-17725 exiv2: heap-based buffer over-read in Exiv2::getULong function in types.cpp

https://bugzilla.redhat.com/show_bug.cgi?id=1545232

[ 3 ] Bug #1536904 - CVE-2018-5772 exiv2: Uncontrolled recursion in image.cpp:Exiv2::Image::printIFDStructure() can allow a remote attacker to cause a denial of service via a crafted tif file

https://bugzilla.redhat.com/show_bug.cgi?id=1536904

su -c 'dnf upgrade --advisory FEDORA-2018-fc9c5969b4' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LGHONQ4EJ55LIOFXBWTY3MX3FETPLOB/

Topics%20covered

Topics Covered

security advisory denial of service Fedora exiv2 buffer over-read

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 27
Version: 0.26
Release: 10.fc27
URL: Summary : Exif and Iptc metadata manipulation library

Topics%20covered

Topics Covered

security advisory denial of service Fedora exiv2 buffer over-read

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here