MGASA-2021-0240 - Updated exiv2 packages fix security vulnerabilities
Publication date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0240.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-3482,
CVE-2021-29457,
CVE-2021-29458,
CVE-2021-29463,
CVE-2021-29464,
CVE-2021-29470,
CVE-2021-29473,
CVE-2021-29623,
CVE-2021-32617
The updated packages fix security vulnerabilities:
Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482)
Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata.
(CVE-2021-29457)
Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to cause a denial of service. (CVE-2021-29463)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2021-29464)
Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470)
Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473)
Read of uninitialized memory may lead to information leak. (CVE-2021-29623)
DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617)
References:
- https://bugs.mageia.org/show_bug.cgi?id=29008
- https://ubuntu.com/security/notices/USN-4941-1
- https://ubuntu.com/security/notices/USN-4964-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617
SRPMS:
- 7/core/exiv2-0.27.1-3.5.mga7
- 8/core/exiv2-0.27.3-1.1.mga8
Mageia 2021-0240: exiv2 security update
The updated packages fix security vulnerabilities: Heap-based buffer overflow in Jp2Image::readMetadata()
Summary
CVE: CVE-2021-3482,
CVE-2021-29457,
CVE-2021-29458,
CVE-2021-29463,
CVE-2021-29464,
CVE-2021-29470,
CVE-2021-29473,
CVE-2021-29623,
CVE-2021-32617
The updated packages fix security vulnerabilities:
Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482)
Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata.
(CVE-2021-29457)
Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to cause a denial of service. (CVE-2021-29463)
Exiv2 incorrectly handled certain files. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2021-29464)
Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470)
Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473)
Read of uninitialized memory may lead to information leak. (CVE-2021-29623)
DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617)
Resolution
MGASA-2021-0240 - Updated exiv2 packages fix security vulnerabilities
References
- https://bugs.mageia.org/show_bug.cgi?id=29008
- https://ubuntu.com/security/notices/USN-4941-1
- https://ubuntu.com/security/notices/USN-4964-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617
Severity
Issued Date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0240.html
Type: security
Affected Mageia releases: 7, 8
News
HOWTOs
Features
Secure Linux Hosting for Businesses
What Is Threat Intelligence?
CloudLinux Simplifies & Enhances Linux Security with its TuxCare Unified Enterprise Support Services
LinuxSecurity, Leading Provider of Linux Security News and Information, Unveils its New Website
Biden's New Executive Cybersecurity Order Highlights the Power of Open-Source Security
About Us
Powered By
