Debian 10229 Published by

A exempi security update has been released for Debian GNU/Linux 10 LTS to address multiple vulnerabilities.



[SECURITY] [DLA 3585-1] exempi security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3585-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
September 25, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : exempi
Version : 2.5.0-2+deb10u1
CVE ID : CVE-2020-18651 CVE-2020-18652 CVE-2021-36045 CVE-2021-36046
CVE-2021-36047 CVE-2021-36048 CVE-2021-36050 CVE-2021-36051
CVE-2021-36052 CVE-2021-36053 CVE-2021-36054 CVE-2021-36055
CVE-2021-36056 CVE-2021-36057 CVE-2021-36058 CVE-2021-36064
CVE-2021-39847 CVE-2021-40716 CVE-2021-40732 CVE-2021-42528
CVE-2021-42529 CVE-2021-42530 CVE-2021-42531 CVE-2021-42532

Multiple vulneratibilities were found in exempi, an implementation of XMP
(Extensible Metadata Platform).

CVE-2020-18651

A Buffer Overflow vulnerability was found
in function ID3_Support::ID3v2Frame::getFrameValue
allows remote attackers to cause a denial of service.

CVE-2020-18652

A Buffer Overflow vulnerability was found in
WEBP_Support.cpp allows remote attackers to cause a
denial of service.

CVE-2021-36045

An out-of-bounds read vulnerability was found
that could lead to disclosure of arbitrary memory.

CVE-2021-36046

A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current use

CVE-2021-36047

An Improper Input Validation vulnerability was found,
potentially resulting in arbitrary
code execution in the context of the current use.

CVE-2021-36048

An Improper Input Validation was found,
potentially resulting in arbitrary
code execution in the context of the current user.

CVE-2021-36050

A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36051

A buffer overflow vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36052

A memory corruption vulnerability was found,
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-36053

An out-of-bounds read vulnerability was found,
that could lead to disclosure of arbitrary memory.

CVE-2021-36054

A buffer overflow vulnerability was found potentially
resulting in local application denial of service.

CVE-2021-36055

A use-after-free vulnerability was found that could
result in arbitrary code execution.

CVE-2021-36056

A buffer overflow vulnerability was found, potentially
resulting in arbitrary code execution in the context of
the current user.

CVE-2021-36057

A write-what-where condition vulnerability was found,
caused during the application's memory allocation process.
This may cause the memory management functions to become
mismatched resulting in local application denial of service
in the context of the current user.

CVE-2021-36058

An Integer Overflow vulnerability was found, potentially
resulting in application-level denial of service in the
context of the current user.

CVE-2021-36064

A Buffer Underflow vulnerability was found which
could result in arbitrary code execution in the context
of the current user

CVE-2021-39847

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.

CVE-2021-40716

An out-of-bounds read vulnerability was found that
could lead to disclosure of sensitive memory

CVE-2021-40732

A null pointer dereference vulnerability was found,
that could result in leaking data from certain memory
locations and causing a local denial of service

CVE-2021-42528

A Null pointer dereference vulnerability was found
when parsing a specially crafted file. An unauthenticated attacker
could leverage this vulnerability to achieve an application
denial-of-service in the context of the current user.

CVE-2021-42529

A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution
in the context of the current user.

CVE-2021-42530

A stack-based buffer overflow vulnerability was found
potentially resulting in arbitrary code execution in the
context of the current user.

CVE-2021-42531

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in
the context of the current user

CVE-2021-42532

A stack-based buffer overflow vulnerability
potentially resulting in arbitrary code execution in the
context of the current user.

For Debian 10 buster, these problems have been fixed in version
2.5.0-2+deb10u1.

We recommend that you upgrade your exempi packages.

For the detailed security status of exempi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exempi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS