Arch Linux 811 Published by

An exiv2 security update has been released for Arch Linux.



ASA-202106-54: exiv2: multiple issues


Arch Linux Security Advisory ASA-202106-54
=========================================
Severity: Low
Date : 2021-06-22
CVE-ID : CVE-2021-3482 CVE-2021-29457 CVE-2021-29458 CVE-2021-29463
CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623
CVE-2021-32617
Package : exiv2
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-1772

Summary
======
The package exiv2 before version 0.27.4-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.

Resolution
=========
Upgrade to 0.27.4-1.

# pacman -Syu "exiv2>=0.27.4-1"

The problems have been fixed upstream in version 0.27.4.

Workaround
=========
None.

Description
==========
- CVE-2021-3482 (arbitrary code execution)

A security issue was found in Exiv2 in versions before version 0.27.4.
Improper input validation of the rawData.size property in
Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based
buffer overflow via a crafted JPG image containing malicious EXIF data.
An attacker could potentially exploit the vulnerability to gain code
execution, if they can trick the victim into running Exiv2 on a crafted
image file.

- CVE-2021-29457 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when _writing_ the metadata, which
is a less frequently used Exiv2 operation than _reading_ the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29458 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29463 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29464 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29470 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29473 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. An
attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29623 (information disclosure)

A read of uninitialized memory was found in Exiv2 before version
0.27.4. The read of uninitialized memory is triggered when Exiv2 is
used to read the metadata of a crafted image file. An attacker could
potentially exploit the vulnerability to leak a few bytes of stack
memory, if they can trick the victim into running Exiv2 on a crafted
image file.

- CVE-2021-32617 (denial of service)

An inefficient algorithm (quadratic complexity) was found in Exiv2
before version 0.27.4. The inefficient algorithm is triggered when
Exiv2 is used to write metadata into a crafted image file. An attacker
could potentially exploit the vulnerability to cause a denial of
service, if they can trick the victim into running Exiv2 on a crafted
image file.

Note that this bug is only triggered when _writing_ the metadata, which
is a less frequently used Exiv2 operation than _reading_ the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as rm.

Impact
=====
Reading or writing EXIF metadata of a crafted image file could lead to
arbitrary code execution.

References
=========
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9
  https://github.com/Exiv2/exiv2/issues/1522
  https://github.com/Exiv2/exiv2/pull/1523
  https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
  https://github.com/Exiv2/exiv2/issues/1529
  https://github.com/Exiv2/exiv2/pull/1534
  https://github.com/Exiv2/exiv2/commit/13e5a3e02339b746abcaee6408893ca2fd8e289d
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
  https://github.com/Exiv2/exiv2/issues/1530
  https://github.com/Exiv2/exiv2/pull/1536
  https://github.com/Exiv2/exiv2/pull/1539
  https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr
  https://github.com/Exiv2/exiv2/pull/1577
  https://github.com/Exiv2/exiv2/commit/d639e45c2cdc18b9b49b1307c6e4315277fa8cc4
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
  https://github.com/Exiv2/exiv2/pull/1576
  https://github.com/Exiv2/exiv2/commit/0357f341e43f6e14123f227946574231ba379637
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj
  https://github.com/Exiv2/exiv2/pull/1581
  https://github.com/Exiv2/exiv2/commit/f6ee71526eef5649a529ac6da3f2843e3b63e227
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2
  https://github.com/Exiv2/exiv2/pull/1587
  https://github.com/Exiv2/exiv2/commit/e6a0982f7cd9282052b6e3485a458d60629ffa0b
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
  https://github.com/Exiv2/exiv2/pull/1627
  https://github.com/Exiv2/exiv2/commit/0f9eb74c44c908e170a64cab590949d53749af8e
  https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
  https://github.com/Exiv2/exiv2/pull/1657
  https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d
  https://security.archlinux.org/CVE-2021-3482
  https://security.archlinux.org/CVE-2021-29457
  https://security.archlinux.org/CVE-2021-29458
  https://security.archlinux.org/CVE-2021-29463
  https://security.archlinux.org/CVE-2021-29464
  https://security.archlinux.org/CVE-2021-29470
  https://security.archlinux.org/CVE-2021-29473
  https://security.archlinux.org/CVE-2021-29623
  https://security.archlinux.org/CVE-2021-32617