[ALSA-2020:1577] Moderate: exiv2 security, bug fix, and enhancement update
Release date:
The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments. The following packages have been upgraded to a later upstream version: exiv2 (0.27.2). (BZ#1651917) Security Fix(es): * exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS (CVE-2019-20421) * exiv2: null pointer dereference in the Exiv2::DataValue::toLong function in value.cpp (CVE-2017-18005) * exiv2: Excessive memory allocation in Exiv2::Jp2Image::readMetadata function in jp2image.cpp (CVE-2018-4868) * exiv2: assertion failure in BigTiffImage::readData in bigtiffimage.cpp (CVE-2018-9303) * exiv2: divide by zero in BigTiffImage::printIFD in bigtiffimage.cpp (CVE-2018-9304) * exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9305) * exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file (CVE-2018-10772) * exiv2: information leak via a crafted file (CVE-2018-11037) * exiv2: buffer overflow in samples/geotag.cpp (CVE-2018-14338) * exiv2: heap-based buffer overflow in Exiv2::d2Data in types.cpp (CVE-2018-17229) * exiv2: heap-based buffer overflow in Exiv2::ul2Data in types.cpp (CVE-2018-17230) * exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash (CVE-2018-17282) * exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service (CVE-2018-17581) * exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp (CVE-2018-18915) * exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp (CVE-2018-19107) * exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp (CVE-2018-19108) * exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp (CVE-2018-19535) * exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp (CVE-2018-19607) * exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service (CVE-2018-20096) * exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function (CVE-2018-20097) * exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20098) * exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20099) * exiv2: infinite recursion in Exiv2::Image::printTiffStructure in file image.cpp resulting in denial of service (CVE-2019-9143) * exiv2: denial of service in PngImage::readMetadata (CVE-2019-13109) * exiv2: integer overflow in WebPImage::decodeChunks leads to denial of service (CVE-2019-13111) * exiv2: uncontrolled memory allocation in PngChunk::parseChunkContent causing denial of service (CVE-2019-13112) * exiv2: invalid data location in CRW image file causing denial of service (CVE-2019-13113) * exiv2: null-pointer dereference in http.c causing denial of service (CVE-2019-13114) * exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9306) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 libgexiv2-devel-0.10.8-4.el8.aarch64.rpm 5b60730ac8deb94adf9e436aa944dd2ba00b33574219c3561c841ad264d1b40f
aarch64 gegl-0.2.0-39.el8.aarch64.rpm d2eb5d08b4730614b2ad166d73961fcb7b6ae79e17f3a36afff9d970df60abdc
aarch64 libgexiv2-0.10.8-4.el8.aarch64.rpm eb752b2592e16880567f238b26a05daf8cbae702c2db0b3eecdd9a955ce18ebd
i686 libgexiv2-devel-0.10.8-4.el8.i686.rpm 450ba7824d0b59f31b6fc8901448ff6e57fd7e19434397c146504871462a72b0
i686 libgexiv2-0.10.8-4.el8.i686.rpm 992c667dc85d603d3fd2bbc5ee6925c6b49ac6ce469a016885dd513185166ce9
i686 gegl-0.2.0-39.el8.i686.rpm c665f490cfd8f8fde7b5dc3091ba7c792191e5bc45b579f6f449203184847e28
i686 exiv2-devel-0.27.2-5.el8.i686.rpm f2d30f33f961e786ab12348414dcfb0044ca8c7f20f87af1482e6842177dfa14
noarch exiv2-doc-0.27.2-5.el8.noarch.rpm ae02e88f79d5bd056b249f519b1be4afab3e904e29db6a41e2b46af445087524
ppc64le gnome-color-manager-3.28.0-3.el8.ppc64le.rpm 364b870115cdc9847576944b14a3684318d97eab39aaeb31ae8936fc95c61c27
ppc64le gegl-0.2.0-39.el8.ppc64le.rpm ae7f65070c625498a437de642ba203db6f73629f2be3c19b96c6b9210df11c47
ppc64le libgexiv2-devel-0.10.8-4.el8.ppc64le.rpm da9a13b2f1f5d90c516ff3d5738ea3d5ba1cc86a2ae52d49c94fbdb83912c703
ppc64le libgexiv2-0.10.8-4.el8.ppc64le.rpm fa135453f382fbec701fbe52ce6a0ef93cdf2d6804b476d42072c54e9eda0eca
x86_64 gnome-color-manager-3.28.0-3.el8.x86_64.rpm 5562b6fd85deb21cc2e1743be4262f77f657aff45005ec6402fa0f9bc7ae887f
x86_64 exiv2-devel-0.27.2-5.el8.x86_64.rpm bc682739258faf1b46be75a0fe3d28c365a712aae74e0856abbaf6e1b9a54971
x86_64 libgexiv2-devel-0.10.8-4.el8.x86_64.rpm bca558862faf4fab0f57d2950e6dae8ec7d0d5df3eb8a370dad113350e51066b
x86_64 libgexiv2-0.10.8-4.el8.x86_64.rpm c005a02033c5f7e6a6bc0761ab6506343a21b1318f1dbee38f09409934a5eddc
x86_64 gegl-0.2.0-39.el8.x86_64.rpm f3ae9cfb955cea91000d09b8335d905b3865e539cbbb97953117615f565d1fa2
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.