Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701902 (CVE-2019-14368, CVE-2019-14369, CVE-2019-14370, CVE-2019-17402, CVE-2019-20421) - <media-gfx/exiv2-0.27.3: Multiple vulnerabilities (CVE-2019-{14368,14369,14370,17402,20421})
Summary: <media-gfx/exiv2-0.27.3: Multiple vulnerabilities (CVE-2019-{14368,14369,1437...
Status: RESOLVED FIXED
Alias: CVE-2019-14368, CVE-2019-14369, CVE-2019-14370, CVE-2019-17402, CVE-2019-20421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/Exiv2/exiv2/issues...
Whiteboard: B3 [nogsla cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-03 17:58 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-18 20:56 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/exiv2-0.27.3 amd64 arm arm64 ppc ppc64 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-03 17:58:49 UTC
CVE-2019-17402 (https://nvd.nist.gov/vuln/detail/CVE-2019-17402):
  Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
  types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in
  crwimage_int.cpp, because there is no validation of the relationship of the
  total size to the offset and size.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 05:38:53 UTC
CVE-2019-20421 (https://nvd.nist.gov/vuln/detail/CVE-2019-20421):
  In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file
  can result in an infinite loop and hang, with high CPU consumption. Remote
  attackers could leverage this vulnerability to cause a denial of service via
  a crafted file.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 05:39:38 UTC
@maintainer(s): ping
Comment 4 Andreas Sturmlechner gentoo-dev 2020-04-17 09:50:37 UTC
Issue is not solved so I'm wondering what the ping is about.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 16:10:34 UTC
(In reply to Andreas Sturmlechner from comment #4)
> Issue is not solved so I'm wondering what the ping is about.

There are patches available for both CVEs (linked in the CVE ref) but you may prefer to wait for a release.

I guess we may as well wait given there is more activity now on the 0.27.3 release branch pending.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:15:05 UTC
CVE-2019-14370 (https://nvd.nist.gov/vuln/detail/CVE-2019-14370):
  In Exiv2 0.27.99.0, there is an out-of-bounds read in
  Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial
  of service.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 23:15:47 UTC
(In reply to GLSAMaker/CVETool Bot from comment #6)
> CVE-2019-14370 (https://nvd.nist.gov/vuln/detail/CVE-2019-14370):
>   In Exiv2 0.27.99.0, there is an out-of-bounds read in
>   Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial
>   of service.

Bug: https://github.com/Exiv2/exiv2/issues/954

Looks fixed in master.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:16:16 UTC
CVE-2019-14369 (https://nvd.nist.gov/vuln/detail/CVE-2019-14369):
  Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows
  attackers to cause a denial of service (heap-based buffer over-read) via a
  crafted image file.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:16:31 UTC
CVE-2019-14368 (https://nvd.nist.gov/vuln/detail/CVE-2019-14368):
  Exiv2 0.27.99.0 has a heap-based buffer over-read in
  Exiv2::RafImage::readMetadata() in rafimage.cpp.
Comment 10 Larry the Git Cow gentoo-dev 2020-07-01 19:08:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9056211f5f9ea47334f8ca4aeaab38b9ce173163

commit 9056211f5f9ea47334f8ca4aeaab38b9ce173163
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-07-01 19:00:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-07-01 19:00:56 +0000

    media-gfx/exiv2: 0.27.3 version bump
    
    Bug: https://bugs.gentoo.org/701902
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/exiv2/Manifest                                         | 2 +-
 media-gfx/exiv2/{exiv2-0.27.3_rc2.ebuild => exiv2-0.27.3.ebuild} | 9 ++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-01 20:15:48 UTC
Tell us when ready, but I imagine it'll be a little bit.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-10 14:48:33 UTC
arm64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-11 20:00:16 UTC
ppc64 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-12 00:16:55 UTC
sparc stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-13 18:27:49 UTC
arm stable
Comment 16 ernsteiswuerfel archtester 2020-07-14 23:17:22 UTC
Looking good on ppc.

 # cat exiv2-701902.report 
USE tests started on Mi 15. Jul 00:40:41 CEST 2020

FEATURES=' test' USE='' succeeded for =media-gfx/exiv2-0.27.3
USE='doc -examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc examples nls -png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='-doc -examples -nls png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='-doc -examples nls png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc -examples nls png -webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='-doc -examples nls -png webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc -examples -nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='-doc examples -nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc examples -nls png webready -xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc examples nls png -webready xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='doc -examples nls -png webready xmp' succeeded for =media-gfx/exiv2-0.27.3
USE='-doc -examples nls png webready xmp' succeeded for =media-gfx/exiv2-0.27.3

revdep tests started on Mi 15. Jul 01:05:02 CEST 2020

FEATURES=' test' USE='' succeeded for media-libs/libextractor
FEATURES=' test' USE='' succeeded for media-gfx/ufraw
FEATURES=' test' USE='python' succeeded for media-libs/gexiv2
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-15 06:54:41 UTC
ppc stable thanks to ernsteiswuerfel!
Comment 18 Agostino Sarubbo gentoo-dev 2020-07-17 07:21:44 UTC
amd64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2020-07-17 07:45:45 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Larry the Git Cow gentoo-dev 2020-07-18 08:41:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d590f5ec305ccd3c2bb60f38f0fd47167f4dd3e

commit 3d590f5ec305ccd3c2bb60f38f0fd47167f4dd3e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-07-18 01:00:22 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-07-18 08:31:58 +0000

    media-gfx/exiv2: Drop vulnerable 0.27.2
    
    Bug: https://bugs.gentoo.org/701902
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/exiv2/Manifest                           |   1 -
 media-gfx/exiv2/exiv2-0.27.2.ebuild                | 104 ---------------------
 .../exiv2/files/exiv2-0.27.2-libssh-0.9.2.patch    |  56 -----------
 3 files changed, 161 deletions(-)
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 20:56:07 UTC
GLSA vote: no!

Closing.