225485 – media-gfx/exiv2 <0.17 Nicon Lens Information Printing Denial of Service (CVE-2008-2696)

Bug 225485 - media-gfx/exiv2 <0.17 Nicon Lens Information Printing Denial of Service (CVE-2008-2696)

Summary: media-gfx/exiv2 <0.17 Nicon Lens Information Printing Denial of Service (CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/30519/
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-06-08 23:28 UTC by Robert Buchholz (RETIRED)
Modified:	2008-07-02 11:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-06-08 23:28:55 UTC

Secunia writes:
A vulnerability has been reported in Exiv2, which potentially can be exploited by malicious people to crash an application using the library.

The vulnerability is caused due to a floating point exception within the pretty printing functionality when processing certain Nicon camera lens information. This can be exploited to crash an application linked against the Exiv2 library when a image containing specially-crafted metadata is processed.

The vulnerability is reported in version 0.16. Other versions may also be affected.

Solution:
Update to version 0.17.

Provided and/or discovered by:
Joakim Bildrulle

Comment 1 Stefan Briesenick (RETIRED) gentoo-dev

2008-06-09 21:40:32 UTC

new version in CVS.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-06-10 00:26:27 UTC

Arches, please test and mark stable:
=media-gfx/exiv2-0.17
Target keywords : "alpha amd64 ia64 ppc release sparc x86"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-06-10 09:57:38 UTC

x86 stable

Comment 4 Raúl Porcel (RETIRED) gentoo-dev

2008-06-10 14:08:44 UTC

alpha/ia64/sparc stable

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2008-06-10 18:51:24 UTC

ppc stable

Comment 6 Richard Freeman gentoo-dev

2008-06-14 14:37:02 UTC

amd64 stable

Comment 7 Peter Volkov (RETIRED) gentoo-dev

2008-06-16 16:38:12 UTC

Fixed in release snapshot.

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-06-16 22:48:20 UTC

I could not find any daemon applications linking against this library. While I would assume they exist (which would consitute this sec bug), I vote NO for a GLSA.

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-02 11:13:22 UTC

what rbu said, thus I vote NO.