624638 – (CVE-2017-9953) <media-gfx/exiv2-0.26_p20171104: Segmentation fault in Image::printIFDStructure (CVE-2017-9953)

Bug 624638 (CVE-2017-9953) - <media-gfx/exiv2-0.26_p20171104: Segmentation fault in Image::printIFDStructure (CVE-2017-9953)

Summary: <media-gfx/exiv2-0.26_p20171104: Segmentation fault in Image::printIFDStructu...

Status:	RESOLVED FIXED

Alias:	CVE-2017-9953

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/Exiv2/exiv2/issues...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-12 07:05 UTC by Aleksandr Wagner (Kivak)
Modified:	2018-03-27 01:54 UTC (History)
CC List:	1 user (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1465061
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-07-12 07:05:56 UTC

There is an invalid free in Image::printIFDStructure that leads to a Segmentation fault in Exiv2 0.26. A crafted input will lead to a remote denial of service attack.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1465061

Comment 1 Andreas Sturmlechner gentoo-dev

2018-02-16 23:08:24 UTC

Red Hat is not upstream for this.

Comment 2 Andreas Sturmlechner gentoo-dev

2018-02-16 23:16:10 UTC

Our snapshot of 0.26 is not vulnerable to this particular bug.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-03-27 01:54:55 UTC

GLSA Vote: No