CVE-2017-18238 (https://nvd.nist.gov/vuln/detail/CVE-2017-18238): An issue was discovered in Exempi before 2.4.4. The TradQT_Manager::ParseCachedBoxes function in XMPFiles/source/FormatSupport/QuickTime_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .qt file. CVE-2017-18237 (https://nvd.nist.gov/vuln/detail/CVE-2017-18237): An issue was discovered in Exempi before 2.4.3. The PostScript_Support::ConvertToDate function in XMPFiles/source/FormatSupport/PostScript_Support.cpp allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via a crafted .ps file. CVE-2017-18236 (https://nvd.nist.gov/vuln/detail/CVE-2017-18236): An issue was discovered in Exempi before 2.4.4. The ASF_Support::ReadHeaderObject function in XMPFiles/source/FormatSupport/ASF_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted .asf file. CVE-2017-18235 (https://nvd.nist.gov/vuln/detail/CVE-2017-18235): An issue was discovered in Exempi before 2.4.3. The VPXChunk class in XMPFiles/source/FormatSupport/WEBP_Support.cpp does not ensure nonzero widths and heights, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted .webp file. CVE-2017-18234 (https://nvd.nist.gov/vuln/detail/CVE-2017-18234): An issue was discovered in Exempi before 2.4.3. It allows remote attackers to cause a denial of service (invalid memcpy with resultant use-after-free) or possibly have unspecified other impact via a .pdf file containing JPEG data, related to XMPFiles/source/FormatSupport/ReconcileTIFF.cpp, XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and XMPFiles/source/FormatSupport/TIFF_Support.hpp. CVE-2017-18233 (https://nvd.nist.gov/vuln/detail/CVE-2017-18233): An issue was discovered in Exempi before 2.4.4. Integer overflow in the Chunk class in XMPFiles/source/FormatSupport/RIFF.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .avi file.
All referenced CVE as shipped in 2.4.5 after tracking references between NVD, upstream bugzilla and git.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b566633d73ffee4a83dd4ed6cf2c411a297b3763 commit b566633d73ffee4a83dd4ed6cf2c411a297b3763 Author: Gilles Dartiguelongue <eva@gentoo.org> AuthorDate: 2018-03-25 21:21:23 +0000 Commit: Gilles Dartiguelongue <eva@gentoo.org> CommitDate: 2018-03-25 21:32:58 +0000 media-libs/exempi: version bump to 2.4.5 fixing multiple security issues Bug: https://bugs.gentoo.org/649950 Bug: https://bugs.gentoo.org/650714 Package-Manager: Portage-2.3.24, Repoman-2.3.6 media-libs/exempi/Manifest | 1 + media-libs/exempi/exempi-2.4.5.ebuild | 52 +++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+)}
@maintainer(s), please call for stable when ready.
ia64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a2f56b3cd43cccaa391bd1cb14ed63e332f9783 commit 3a2f56b3cd43cccaa391bd1cb14ed63e332f9783 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-29 01:47:17 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-29 01:47:17 +0000 media-libs/exempi: amd64 stable Bug: https://bugs.gentoo.org/650714 Package-Manager: Portage-2.3.26, Repoman-2.3.7 media-libs/exempi/exempi-2.4.5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
Stable on alpha.
ppc stable
ppc64 stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bf9aef2430d9e45ba04da79933eacf36088646f commit 5bf9aef2430d9e45ba04da79933eacf36088646f Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-04-16 16:49:57 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-16 18:35:29 +0000 media-libs/exempi: stable 2.4.5 for sparc Bug: https://bugs.gentoo.org/650714 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" media-libs/exempi/exempi-2.4.5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
hppa stable
GLSA Vote: No @maintainer(s), please drop the vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fb773267d167d1914e2260c25ef225c4019f832 commit 6fb773267d167d1914e2260c25ef225c4019f832 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-05-14 23:10:13 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-15 00:21:28 +0000 media-libs/exempi: drop vulnerable Bug: https://bugs.gentoo.org/650714 Package-Manager: Portage-2.3.36, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/8408 media-libs/exempi/Manifest | 2 -- media-libs/exempi/exempi-2.2.1.ebuild | 48 -------------------------------- media-libs/exempi/exempi-2.4.2.ebuild | 52 ----------------------------------- 3 files changed, 102 deletions(-)
