A exiv2 security update has been released for Debian GNU/Linux 10 LTS to address a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files.

DLA 3265-1: exiv2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3265-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Helmut Grohne
January 10, 2023   https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : exiv2
Version : 0.25-4+deb10u4
CVE ID : CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864
CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581
CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097
CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504
CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771
CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620
CVE-2021-37621 CVE-2021-37622
Debian Bug : 876893 885981 886006 903813 910060 913272 913273 915135
932467 946341 987277 992705 992706

This update fixes a number of memory access violations and other input
validation failures that can be triggered by passing specially crafted files to
exiv2.

CVE-2017-11591

There is a Floating point exception in the Exiv2::ValueType function that
will lead to a remote denial of service attack via crafted input.

CVE-2017-14859

An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.

CVE-2017-14862

An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp. The vulnerability causes a
segmentation fault and application crash, which leads to denial of service.

CVE-2017-14864

An Invalid memory address dereference was discovered in Exiv2::getULong in
types.cpp. The vulnerability causes a segmentation fault and application
crash, which leads to denial of service.

CVE-2017-17669

There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A
crafted PNG file will lead to a remote denial of service attack.

CVE-2017-18005

Exiv2 has a Null Pointer Dereference in the Exiv2::DataValue::toLong
function in value.cpp, related to crafted metadata in a TIFF file.

CVE-2018-8976

jpgimage.cpp allows remote attackers to cause a denial of service
(image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted
file.

CVE-2018-17581

CiffDirectory::readDirectory() at crwimage_int.cpp has excessive stack
consumption due to a recursive function, leading to Denial of service.

CVE-2018-19107

Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD
image reader) may suffer from a denial of service (heap-based buffer
over-read) caused by an integer overflow via a crafted PSD image file.

CVE-2018-19108

Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may
suffer from a denial of service (infinite loop) caused by an integer
overflow via a crafted PSD image file.

CVE-2018-19535

PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service
(application crash due to a heap-based buffer over-read) via a crafted PNG
file.

CVE-2018-20097

There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
tiffimage_int.cpp. A crafted input will lead to a remote denial of service
attack.

CVE-2019-13110

A CiffDirectory::readDirectory integer overflow and out-of-bounds read
allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW
image file.

CVE-2019-13112

A PngChunk::parseChunkContent uncontrolled memory allocation allows an
attacker to cause a denial of service (crash due to an std::bad_alloc
exception) via a crafted PNG image file.

CVE-2019-13114

http.c allows a malicious http server to cause a denial of service (crash
due to a NULL pointer dereference) by returning a crafted response that
lacks a space character.

CVE-2019-13504

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in
mrwimage.cpp.

CVE-2019-14369

Exiv2::PngImage::readMetadata() in pngimage.cpp allows attackers to cause a
denial of service (heap-based buffer over- read) via a crafted image file.

CVE-2019-14370

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in
mrwimage.cpp. It could result in denial of service.

CVE-2019-17402

Exiv2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp
when called from Exiv2::Internal::CiffDirectory::readDirectory in
crwimage_int.cpp, because there is no validation of the relationship of the
total size to the offset and size.

CVE-2020-18771

Exiv2 has a global buffer over-read in
Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can
result in an information leak.

CVE-2021-29458

An out-of-bounds read was found in Exiv2. The out-of- bounds read is
triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
writing the metadata, which is a less frequently used Exiv2 operation than
reading the metadata. For example, to trigger the bug in the Exiv2
command-line application, you need to add an extra command-line argument
such as insert.

CVE-2021-32815

The assertion
failure is triggered when Exiv2 is used to modify the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. Note that this bug
is only triggered when modifying the metadata, which is a less
frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as `fi`.

CVE-2021-34334

An infinite loop is triggered when Exiv2 is used to read the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file.

CVE-2021-37620

An out-of-bounds read is triggered when Exiv2 is used to read the metadata
of a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file.

CVE-2021-37621

An infinite loop is triggered when Exiv2 is used to print the metadata of a
crafted image file. An attacker could potentially exploit the vulnerability
to cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file. Note that this bug is only triggered when
printing the image ICC profile, which is a less frequently used Exiv2
operation that requires an extra command line option (`-p C`).

CVE-2021-37622

An infinite loop is triggered when Exiv2 is used to modify the metadata of
a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the victim
into running Exiv2 on a crafted image file. Note that this bug is only
triggered when deleting the IPTC data, which is a less frequently used
Exiv2 operation that requires an extra command line option (`-d I rm`).

For Debian 10 buster, these problems have been fixed in version
0.25-4+deb10u4.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS