Arch Linux Security Advisory ASA-202106-54
==========================================

Severity: Low
Date    : 2021-06-22
CVE-ID  : CVE-2021-3482  CVE-2021-29457 CVE-2021-29458 CVE-2021-29463
          CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623
          CVE-2021-32617
Package : exiv2
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1772

Summary
=======

The package exiv2 before version 0.27.4-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.

Resolution
==========

Upgrade to 0.27.4-1.

# pacman -Syu "exiv2>=0.27.4-1"

The problems have been fixed upstream in version 0.27.4.

Workaround
==========

None.

Description
===========

- CVE-2021-3482 (arbitrary code execution)

A security issue was found in Exiv2 in versions before version 0.27.4.
Improper input validation of the rawData.size property in
Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based
buffer overflow via a crafted JPG image containing malicious EXIF data.
An attacker could potentially exploit the vulnerability to gain code
execution, if they can trick the victim into running Exiv2 on a crafted
image file.

- CVE-2021-29457 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when _writing_ the metadata, which
is a less frequently used Exiv2 operation than _reading_ the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29458 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29463 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29464 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29470 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29473 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. An
attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

- CVE-2021-29623 (information disclosure)

A read of uninitialized memory was found in Exiv2 before version
0.27.4. The read of uninitialized memory is triggered when Exiv2 is
used to read the metadata of a crafted image file. An attacker could
potentially exploit the vulnerability to leak a few bytes of stack
memory, if they can trick the victim into running Exiv2 on a crafted
image file.

- CVE-2021-32617 (denial of service)

An inefficient algorithm (quadratic complexity) was found in Exiv2
before version 0.27.4. The inefficient algorithm is triggered when
Exiv2 is used to write metadata into a crafted image file. An attacker
could potentially exploit the vulnerability to cause a denial of
service, if they can trick the victim into running Exiv2 on a crafted
image file.

Note that this bug is only triggered when _writing_ the metadata, which
is a less frequently used Exiv2 operation than _reading_ the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as rm.

Impact
======

Reading or writing EXIF metadata of a crafted image file could lead to
arbitrary code execution.

References
==========

https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9
https://github.com/Exiv2/exiv2/issues/1522
https://github.com/Exiv2/exiv2/pull/1523
https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da
https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
https://github.com/Exiv2/exiv2/issues/1529
https://github.com/Exiv2/exiv2/pull/1534
https://github.com/Exiv2/exiv2/commit/13e5a3e02339b746abcaee6408893ca2fd8e289d
https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
https://github.com/Exiv2/exiv2/issues/1530
https://github.com/Exiv2/exiv2/pull/1536
https://github.com/Exiv2/exiv2/pull/1539
https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0
https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr
https://github.com/Exiv2/exiv2/pull/1577
https://github.com/Exiv2/exiv2/commit/d639e45c2cdc18b9b49b1307c6e4315277fa8cc4
https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
https://github.com/Exiv2/exiv2/pull/1576
https://github.com/Exiv2/exiv2/commit/0357f341e43f6e14123f227946574231ba379637
https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj
https://github.com/Exiv2/exiv2/pull/1581
https://github.com/Exiv2/exiv2/commit/f6ee71526eef5649a529ac6da3f2843e3b63e227
https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2
https://github.com/Exiv2/exiv2/pull/1587
https://github.com/Exiv2/exiv2/commit/e6a0982f7cd9282052b6e3485a458d60629ffa0b
https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
https://github.com/Exiv2/exiv2/pull/1627
https://github.com/Exiv2/exiv2/commit/0f9eb74c44c908e170a64cab590949d53749af8e
https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
https://github.com/Exiv2/exiv2/pull/1657
https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d
https://security.archlinux.org/CVE-2021-3482
https://security.archlinux.org/CVE-2021-29457
https://security.archlinux.org/CVE-2021-29458
https://security.archlinux.org/CVE-2021-29463
https://security.archlinux.org/CVE-2021-29464
https://security.archlinux.org/CVE-2021-29470
https://security.archlinux.org/CVE-2021-29473
https://security.archlinux.org/CVE-2021-29623
https://security.archlinux.org/CVE-2021-32617