Bug 655958 (CVE-2018-11037)

Summary:	<media-gfx/exiv2-0.26_p20180811-r1: SEGV on Exiv2::PngImage::printStructure
Product:	Gentoo Security	Reporter:	Dimitris Nakos (sokan) <sokan>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	graphics+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/Exiv2/exiv2/issues/307
Whiteboard:	B3 [glsa++ cve]
Package list:		Runtime testing required:	---
Bug Depends on:	658236
Bug Blocks:

Description Dimitris Nakos (sokan) 2018-05-17 13:20:01 UTC

The Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file. 

-Gentoo Security Padawan-

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-05-29 13:15:01 UTC

This is still pending upstream and has been recently marked as a TODO item for 0.27.

Comment 2 Andreas Sturmlechner gentoo-dev

2018-09-21 07:30:57 UTC

Closed as not reproducible: https://github.com/Exiv2/exiv2/issues/307#issuecomment-422579116

Comment 3 Andreas Sturmlechner gentoo-dev

2018-09-21 15:09:17 UTC

This should also be fixed since disabling printStructure() in https://github.com/Exiv2/exiv2/pull/180 (bug 647810, media-gfx/exiv2-0.26_p20180811-r2).

Comment 4 Andreas Sturmlechner gentoo-dev

2018-11-11 22:26:43 UTC

Cleanup/KDE done here.

Comment 5 Yury German Gentoo Infrastructure

2018-11-13 06:44:34 UTC

Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2018-11-24 21:46:10 UTC

This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2018-11-24 21:47:13 UTC

This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).