Subject: [ASA-202106-54] exiv2: multiple issues Arch Linux Security Advisory ASA-202106-54 ========================================== Severity: Low Date : 2021-06-22 CVE-ID : CVE-2021-3482 CVE-2021-29457 CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-32617 Package : exiv2 Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1772 Summary ======= The package exiv2 before version 0.27.4-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and information disclosure. Resolution ========== Upgrade to 0.27.4-1. # pacman -Syu "exiv2>=0.27.4-1" The problems have been fixed upstream in version 0.27.4. Workaround ========== None. Description =========== - CVE-2021-3482 (arbitrary code execution) A security issue was found in Exiv2 in versions before version 0.27.4. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. - CVE-2021-29457 (arbitrary code execution) A heap buffer overflow was found in Exiv2 before version 0.27.4. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29458 (denial of service) An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29463 (denial of service) An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29464 (arbitrary code execution) A heap buffer overflow was found in Exiv2 before version 0.27.4. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29470 (denial of service) An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29473 (denial of service) An out-of-bounds read was found in Exiv2 before version 0.27.4. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. - CVE-2021-29623 (information disclosure) A read of uninitialized memory was found in Exiv2 before version 0.27.4. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file. - CVE-2021-32617 (denial of service) An inefficient algorithm (quadratic complexity) was found in Exiv2 before version 0.27.4. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as rm. Impact ====== Reading or writing EXIF metadata of a crafted image file could lead to arbitrary code execution. References ========== https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9 https://github.com/Exiv2/exiv2/issues/1522 https://github.com/Exiv2/exiv2/pull/1523 https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm https://github.com/Exiv2/exiv2/issues/1529 https://github.com/Exiv2/exiv2/pull/1534 https://github.com/Exiv2/exiv2/commit/13e5a3e02339b746abcaee6408893ca2fd8e289d https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5 https://github.com/Exiv2/exiv2/issues/1530 https://github.com/Exiv2/exiv2/pull/1536 https://github.com/Exiv2/exiv2/pull/1539 https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0 https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr https://github.com/Exiv2/exiv2/pull/1577 https://github.com/Exiv2/exiv2/commit/d639e45c2cdc18b9b49b1307c6e4315277fa8cc4 https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p https://github.com/Exiv2/exiv2/pull/1576 https://github.com/Exiv2/exiv2/commit/0357f341e43f6e14123f227946574231ba379637 https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj https://github.com/Exiv2/exiv2/pull/1581 https://github.com/Exiv2/exiv2/commit/f6ee71526eef5649a529ac6da3f2843e3b63e227 https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2 https://github.com/Exiv2/exiv2/pull/1587 https://github.com/Exiv2/exiv2/commit/e6a0982f7cd9282052b6e3485a458d60629ffa0b https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v https://github.com/Exiv2/exiv2/pull/1627 https://github.com/Exiv2/exiv2/commit/0f9eb74c44c908e170a64cab590949d53749af8e https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj https://github.com/Exiv2/exiv2/pull/1657 https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d https://security.archlinux.org/CVE-2021-3482 https://security.archlinux.org/CVE-2021-29457 https://security.archlinux.org/CVE-2021-29458 https://security.archlinux.org/CVE-2021-29463 https://security.archlinux.org/CVE-2021-29464 https://security.archlinux.org/CVE-2021-29470 https://security.archlinux.org/CVE-2021-29473 https://security.archlinux.org/CVE-2021-29623 https://security.archlinux.org/CVE-2021-32617