Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647812 (CVE-2017-17723) - <media-gfx/exiv2-0.26_p20180811: heap-based buffer over-read in Exiv2::Image::byteSwap4 in image.cpp (CVE-2017-17723)
Summary: <media-gfx/exiv2-0.26_p20180811: heap-based buffer over-read in Exiv2::Image:...
Status: RESOLVED FIXED
Alias: CVE-2017-17723
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/Exiv2/exiv2/issues...
Whiteboard: B3 [glsa++ cve]
Keywords:
Depends on: CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265
Blocks:
  Show dependency tree
 
Reported: 2018-02-16 01:01 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-24 21:46 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/exiv2-0.26_p20180811
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-16 01:01:09 UTC
CVE-2017-17723 (https://nvd.nist.gov/vuln/detail/CVE-2017-17723):
  In Exiv2 0.26, there is a heap-based buffer over-read in the
  Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit
  this vulnerability to disclose memory data or cause a denial of service via
  a crafted TIFF file.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-09-16 00:30:38 UTC
Fixed by: https://github.com/Exiv2/exiv2/commit/36df4bc997d74ecc447e4541e2fc3fda10586103
Comment 2 Larry the Git Cow gentoo-dev 2018-09-18 20:54:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f33aacc28aa4a62c2123dbbecfbdb911dd4ba470

commit f33aacc28aa4a62c2123dbbecfbdb911dd4ba470
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-18 20:45:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-18 20:53:50 +0000

    media-gfx/exiv2: Add 0.26_p20180811 snapshot
    
    Custom packed tarball based on upstream 0.26 branch as of 2018-08-11,
    fixing CVE-2018-12264, CVE-2018-12265,
    with downstream updated config.{guess,sub} and fixed CVE-2017-17723.
    
    Bug: https://bugs.gentoo.org/647812
    Bug: https://bugs.gentoo.org/658236
    Closes: https://bugs.gentoo.org/663870
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-gfx/exiv2/Manifest                    |   1 +
 media-gfx/exiv2/exiv2-0.26_p20180811.ebuild | 123 ++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2018-11-11 22:27:40 UTC
Cleanup/KDE done here.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2018-11-13 06:46:52 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 21:45:41 UTC
This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 21:46:42 UTC
This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).