626352 – (CVE-2017-11683) <media-gfx/exiv2-0.26_p20171018: remote denial of service attack via crafted input (CVE-2017-11683)

Bug 626352 (CVE-2017-11683) - <media-gfx/exiv2-0.26_p20171018: remote denial of service attack via crafted input (CVE-2017-11683)

Summary: <media-gfx/exiv2-0.26_p20171018: remote denial of service attack via crafted ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-11683

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-11336, CVE-2017-11337, CVE-2017-11338, CVE-2017-11339, CVE-2017-11340
	Show dependency tree

Reported:	2017-07-27 10:45 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2018-01-08 00:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-27 10:45:22 UTC

From URL:

There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.

Comment 1 Andreas Sturmlechner gentoo-dev

2017-11-05 13:22:01 UTC

Fixed in >=media-gfx/exiv2-0.26_p20171018.

Comment 2 Andreas Sturmlechner gentoo-dev

2017-11-19 15:31:54 UTC

Cleanup done in git commit cdb23e8b3608be50daebdeb5d904b179a58d8339

Comment 3 D'juan McDonald (domhnall) 2018-01-05 17:08:07 UTC

New GLSA request filed.


Gentoo Security Padawan
(Jmbailey/mbailey_j)

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-08 00:22:49 UTC

Downgrading to B3, DoS only.

Repository is clean, all done.