Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 534608 (CVE-2014-9449)

Summary: <media-gfx/exiv2-0.24-r1: Buffer overflow vulnerability (CVE-2014-9449)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 13:20:03 UTC
CVE-2014-9449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9449):
  Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp
  in Exiv2 0.24 allows remote attackers to cause a denial of service (crash)
  via a long IKEY INFO tag value in an AVI file.
Comment 1 Pacho Ramos gentoo-dev 2015-01-20 09:57:28 UTC
Fedora is applying this patch already:
http://pkgs.fedoraproject.org/cgit/exiv2.git/plain/exiv2-0.24-CVE-2014-9449.patch
Comment 2 Johannes Huber (RETIRED) gentoo-dev 2015-01-20 21:36:23 UTC
*** Bug 526042 has been marked as a duplicate of this bug. ***
Comment 3 Johannes Huber (RETIRED) gentoo-dev 2015-01-20 21:43:26 UTC
(In reply to Pacho Ramos from comment #1)
> Fedora is applying this patch already:
> http://pkgs.fedoraproject.org/cgit/exiv2.git/plain/exiv2-0.24-CVE-2014-9449.
> patch

Thanks.

+
+  20 Jan 2015; Johannes Huber <johu@gentoo.org> +exiv2-0.24-r1.ebuild,
+  +files/exiv2-0.24-CVE-2014-9449.patch:
+  Revision bump adds patch from fedora to fix CVE-2014-9449, bug #534608. Thanks
+  to Pacho Ramos <pacho@gentoo.org> for spotting the patch.
+

Arches please stabilize =media-gfx/exiv2-0.24-r1
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-21 10:20:05 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-21 10:20:48 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-21 11:19:29 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-25 11:22:15 UTC
alpha stable
Comment 8 Markus Meier gentoo-dev 2015-01-25 21:21:58 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-31 10:32:52 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-16 10:22:16 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-18 08:51:42 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-23 11:37:34 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 20:51:14 UTC
Maintainer(s), Thank you for you for cleanup.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Johannes Huber (RETIRED) gentoo-dev 2015-05-30 21:10:29 UTC
Cleanup done by Manuel. Removing maintainer from cc then.

+
+  30 May 2015; Manuel RĂ¼ger <mrueg@gentoo.org> -exiv2-0.23-r1.ebuild,
+  -exiv2-0.23-r2.ebuild, -exiv2-0.24.ebuild:
+  Remove old.
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-05-30 23:52:05 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 06:52:30 UTC
This issue was resolved and addressed in
 GLSA 201507-03 at https://security.gentoo.org/glsa/201507-03
by GLSA coordinator Mikle Kolyada (Zlogene).