Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 785646 (CVE-2021-29457, CVE-2021-29458, CVE-2021-29463, CVE-2021-29464, CVE-2021-29470, CVE-2021-29473, CVE-2021-29623, CVE-2021-31291, CVE-2021-31292, CVE-2021-32617)

Summary: <media-gfx/exiv2-0.27.4: Multiple vulnerabilities (CVE-2021-{29457,29458,29470,29473,29463,29464,29623,31291,31292,32617})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
media-gfx/exiv2-0.27.4-r1
Runtime testing required: ---
Bug Depends on: 799692    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-25 16:56:00 UTC
* CVE-2021-29470

Description:
"An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj

* CVE-2021-29458

Description:
"An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-25 17:23:28 UTC
* CVE-2021-29457

Description:
"A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-28 21:14:55 UTC
* CVE-2021-29473

Description:
"An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4."

CONFIRM:https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-03 17:52:06 UTC
* CVE-2021-29463

Description:
"An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr

* CVE-2021-29464

Description:

"A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:15:24 UTC
* CVE-2021-29623

Description:
"A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 05:56:55 UTC
* CVE-2021-32617

Description:
"An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `rm`."

https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
Comment 6 Larry the Git Cow gentoo-dev 2021-06-20 20:53:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd8ae2f9ca37af01f66e7dd91713cfaab3fc8694

commit bd8ae2f9ca37af01f66e7dd91713cfaab3fc8694
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-20 20:40:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-20 20:53:43 +0000

    media-gfx/exiv2: add 0.27.4
    
    Bug: https://bugs.gentoo.org/785646
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/exiv2/Manifest                           |   1 +
 media-gfx/exiv2/exiv2-0.27.4.ebuild                | 115 +++++++++++++++++++++
 .../exiv2/files/exiv2-0.27.4-gtest-1.11.patch      |  32 ++++++
 3 files changed, 148 insertions(+)
Comment 7 Rolf Eike Beer archtester 2021-07-31 19:34:00 UTC
sparc stable
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 18:40:35 UTC
CVE-2021-31291:

A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata.

CVE-2021-31292:

An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata.

Both fixes in 0.27.4.
Comment 9 ernsteiswuerfel archtester 2021-08-07 14:54:08 UTC
Looking good on ppc64.

 # cat exiv2-785646.report 
USE tests started on Sa 7. Aug 16:30:45 CEST 2021

FEATURES=' test' USE='' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples nls -png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls -png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc -examples -nls -png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples -nls -png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc -examples nls -png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls -png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples -nls png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc -examples -nls -png webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples nls -png webready xmp' succeeded for =media-gfx/exiv2-0.27.4

revdep tests started on Sa 7. Aug 16:50:17 CEST 2021

FEATURES=' test' USE='python' succeeded for media-libs/gexiv2
FEATURES=' test' USE='' succeeded for media-libs/libextractor
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 15:01:39 UTC
ppc64 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 15:01:55 UTC
(In reply to ernsteiswuerfel from comment #9)
> Looking good on ppc64.
> 

Thanks!
Comment 12 ernsteiswuerfel archtester 2021-08-07 16:34:11 UTC
Looking good on ppc.

 # cat exiv2-785646.report 
USE tests started on Sa 7. Aug 17:40:13 CEST 2021

FEATURES=' test' USE='' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc -examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples -nls png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples -nls -png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc -examples nls -png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples -nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='-doc examples -nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples nls -png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples nls png -webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc -examples -nls -png webready xmp' succeeded for =media-gfx/exiv2-0.27.4
USE='doc examples -nls -png webready xmp' succeeded for =media-gfx/exiv2-0.27.4

revdep tests started on Sa 7. Aug 18:30:09 CEST 2021

FEATURES=' test' USE='' succeeded for media-libs/libextractor
FEATURES=' test' USE='python' succeeded for media-libs/gexiv2
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-09 01:19:47 UTC
ppc done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-27 19:58:48 UTC
amd64 done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-27 19:59:58 UTC
x86 done
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 01:52:55 UTC
arm done
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 01:53:02 UTC
arm64 done

all arches done
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-03 01:54:23 UTC
Please cleanup, thanks!
Comment 19 Larry the Git Cow gentoo-dev 2021-09-03 06:47:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e1bf48a0f30b20662d158e1a14127c0749f57d2

commit 8e1bf48a0f30b20662d158e1a14127c0749f57d2
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-09-03 06:38:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-09-03 06:47:18 +0000

    media-gfx/exiv2: Drop vulnerable 0.27.3
    
    Bug: https://bugs.gentoo.org/785646
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/exiv2/Manifest            |   1 -
 media-gfx/exiv2/exiv2-0.27.3.ebuild | 102 ------------------------------------
 2 files changed, 103 deletions(-)
Comment 20 Andreas Sturmlechner gentoo-dev 2021-09-03 10:25:47 UTC
kde proj is done here.
Comment 21 NATTkA bot gentoo-dev 2021-09-03 18:00:40 UTC
Unable to check for sanity:

> no match for package: media-gfx/exiv2-0.27.4-r1
Comment 22 Larry the Git Cow gentoo-dev 2023-12-22 09:23:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ac054647254eb13d0b84b78ceab28ba69d92c404

commit ac054647254eb13d0b84b78ceab28ba69d92c404
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-22 09:22:44 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-22 09:23:49 +0000

    [ GLSA 202312-06 ] Exiv2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/785646
    Bug: https://bugs.gentoo.org/807346
    Bug: https://bugs.gentoo.org/917650
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-06.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)