MGASA-2021-0240 - Updated exiv2 packages fix security vulnerabilities
Publication date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0240.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-3482,
CVE-2021-29457,
CVE-2021-29458,
CVE-2021-29463,
CVE-2021-29464,
CVE-2021-29470,
CVE-2021-29473,
CVE-2021-29623,
CVE-2021-32617
The updated packages fix security vulnerabilities:
Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482)
Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata.
(CVE-2021-29457)
Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to cause a denial of service. (CVE-2021-29463)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2021-29464)
Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470)
Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473)
Read of uninitialized memory may lead to information leak. (CVE-2021-29623)
DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617)
References:
- https://bugs.mageia.org/show_bug.cgi?id=29008
- https://ubuntu.com/security/notices/USN-4941-1
- https://ubuntu.com/security/notices/USN-4964-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617
SRPMS:
- 7/core/exiv2-0.27.1-3.5.mga7
- 8/core/exiv2-0.27.3-1.1.mga8
Mageia 2021-0240: exiv2 security update
The updated packages fix security vulnerabilities: Heap-based buffer overflow in Jp2Image::readMetadata()
Summary
The updated packages fix security vulnerabilities:
Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482)
Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata.
(CVE-2021-29457)
Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to cause a denial of service. (CVE-2021-29463)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2021-29464)
Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470)
Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473)
Read of uninitialized memory may lead to information leak. (CVE-2021-29623)
DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617)
References
- https://bugs.mageia.org/show_bug.cgi?id=29008
- https://ubuntu.com/security/notices/USN-4941-1
- https://ubuntu.com/security/notices/USN-4964-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617
Resolution
MGASA-2021-0240 - Updated exiv2 packages fix security vulnerabilities
SRPMS
- 7/core/exiv2-0.27.1-3.5.mga7
- 8/core/exiv2-0.27.3-1.1.mga8
Severity
Publication date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0240.html
Type: security
CVE: CVE-2021-3482,
CVE-2021-29457,
CVE-2021-29458,
CVE-2021-29463,
CVE-2021-29464,
CVE-2021-29470,
CVE-2021-29473,
CVE-2021-29623,
CVE-2021-32617
News
HOWTOs
About Us
Powered By
Get Customized Security Advisories that Impact You Directly Create My Customized Advisories Now >>
To stay up-to-date on the latest open-source security news, feature articles and Linux distribution security advisories Subscribe to Our Newsletters!