6.8 - RHSA-2019:2101

Problem Description:

An update for exiv2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments.

The following packages have been upgraded to a later upstream version: exiv2 (0.27.0). (BZ#1652637)

Security Fix(es):

* exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp (CVE-2017-17724)

* exiv2: out-of-bounds read in Exiv2::Internal::stringFormat image.cpp (CVE-2018-8976)

* exiv2: invalid memory access in Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp (CVE-2018-8977)

* exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9305)

* exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file (CVE-2018-10772)

* exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() (CVE-2018-10958)

* exiv2: SIGABRT by triggering an incorrect Safe::add call (CVE-2018-10998)

* exiv2: information leak via a crafted file (CVE-2018-11037)

* exiv2: integer overflow in getData function in preview.cpp (CVE-2018-12264)

* exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp (CVE-2018-12265)

* exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp (CVE-2018-14046)

* exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash (CVE-2018-17282)

* exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service (CVE-2018-17581)

* exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp (CVE-2018-18915)

* exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp (CVE-2018-19107)

* exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp (CVE-2018-19108)

* exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp (CVE-2018-19535)

* exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp (CVE-2018-19607)

* exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service (CVE-2018-20096)

* exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function (CVE-2018-20097)

* exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20098)

* exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20099)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1465061 - There is an invalid free in Image::printIFDStructure that leads to a Segmentation fault at exiv2. A crafted input will lead to remote denial of service attack. 1470729 - There is a heap overflow in the software exiv2. 1470737 - There is an invalid free in Action::TaskFactory::cleanup funtion of actions.cpp in exiv2. A crafted input will lead to remote denial of service attack. 1470913 - There is an infinite loop in Exiv2::Image::printIFDStructure funtion of image.cpp in exiv2. A crafted input will lead to remote denial of service attack. 1470946 - There is a heap-buffer-overflow in image.cpp of exiv2. 1470950 - There is a Segmentation fault in the software exiv2 while the function Exiv2::XmpParser::terminate() is finished. 1471772 - There is an illegal address access in basicio.cpp of exiv2. 1473888 - There is a Floating point exception in Exiv2::ValueType of exiv2. 1473889 - There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2. 1475123 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2. 1475124 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2. 1482295 - There is a heap-buffer-overflow in basicio.cpp of exiv2. 1482296 - There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() of exiv2 1482423 - There is a heap-buffer-overflow in the software exiv2 which is triggered in Exiv2::Image::io function. 1494443 - Null pointer dereference vulnerability in Exiv2::Image::printIFDStructure (image.cpp:408) 1494467 - Invalid memory address dereference in Exiv2::getULong(types.cpp:246) 1494776 - It is a heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (jp2image.cpp:277) 1494778 - It is a heap-buffer-overflow in Exiv2::us2Data (types.cpp:346) 1494780 - Invalid memory address dereference in Exiv2::StringValueBase::read ( in value.cpp:302) 1494781 - It is a heap-buffer-overflow in Exiv2::s2Data (types.cpp:383) 1494782 - It is a heap-buffer-overflow in Exiv2::l2Data (types.cpp:398) 1494786 - Invalid memory address dereference in Exiv2::DataValue::read (value.cpp:193) 1494787 - it is a stack-overflow vulnerability in Exiv2::Internal::stringFormat[abi:cxx11] ( in image.cpp:975 ) 1495043 - bad free in Exiv2::Image::~Image (image.cpp:173) 1524104 - exiv2 library: heap-based buffer over-read in Exiv2::Image::byteSwap4 (image.cpp) 1524107 - exiv2 library: heap-based buffer over-read in Exiv2::IptcData::printStructure (iptc.cpp) 1524116 - exiv2 library: assertion aborted in Exiv2::(anonymous namespace)::readHeader (bigtiffimage.cpp) 1525055 - exiv2 library: heap-buffer-overflow in Exiv2::getULong (types.cpp) 1537353 - Exiv2: integer overflow in floatToRationalCast function (src/types.cpp) 1545237 - CVE-2017-17724 exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp 1561213 - CVE-2018-8976 exiv2: out-of-bounds read in Exiv2::Internal::stringFormat image.cpp 1561217 - CVE-2018-8977 exiv2: invalid memory access in Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp 1566260 - There is a Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished 1566735 - CVE-2018-9305 exiv2: out of bounds read in IptcData::printStructure in iptc.c 1578659 - CVE-2018-10958 exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() 1579481 - CVE-2018-10998 exiv2: SIGABRT by triggering an incorrect Safe::add call 1579544 - CVE-2018-11037 exiv2: information leak via a crafted file 1590993 - CVE-2018-12264 exiv2: integer overflow in getData function in preview.cpp 1590994 - CVE-2018-12265 exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp 1594627 - CVE-2018-10772 exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file 1601628 - CVE-2018-14046 exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp 1632490 - CVE-2018-17282 exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash 1635045 - CVE-2018-17581 exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service 1646555 - CVE-2018-18915 exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp 1649094 - CVE-2018-19107 exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp 1649101 - CVE-2018-19108 exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp 1652637 - Rebase exiv2 to 0.27 1656187 - CVE-2018-19535 exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp 1656195 - CVE-2018-19607 exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp 1660423 - CVE-2018-20096 exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service 1660424 - CVE-2018-20097 exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function 1660425 - CVE-2018-20098 exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service 1660426 - CVE-2018-20099 exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service 1664361 - Gwenview + Exiv2 crash in Pentax camera files