942164 – (CVE-2024-39695) <media-gfx/exiv2-0.28.3: out of bounds read in AsfVideo::streamProperties

Bug 942164 (CVE-2024-39695) - <media-gfx/exiv2-0.28.3: out of bounds read in AsfVideo::streamProperties

Summary: <media-gfx/exiv2-0.28.3: out of bounds read in AsfVideo::streamProperties

Status:	CONFIRMED

Alias:	CVE-2024-39695

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/Exiv2/exiv2/securi...
Whiteboard:	A4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2024-10-25 21:20 UTC by Christopher Fore
Modified:	2024-10-31 22:04 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-10-25 21:20:51 UTC

CVE-2024-39695:

An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0 (see #2416), so Exiv2 versions before v0.28 are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file.


The above only affects 0.28.x.

Comment 1 Andreas Sturmlechner gentoo-dev

2024-10-31 22:04:56 UTC

Cleanup of <0.28.3 was already done on Oct 7th.