Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679486 (CVE-2019-9143, CVE-2019-9144) - <media-gfx/exiv2-0.27.0: multiple vulnerabilities
Summary: <media-gfx/exiv2-0.27.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-9143, CVE-2019-9144
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 678426
Blocks:
  Show dependency tree
 
Reported: 2019-03-05 01:53 UTC by D'juan McDonald (domhnall)
Modified: 2019-03-11 06:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-03-05 01:53:50 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-9144):
An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Upstream Reference: https://github.com/Exiv2/exiv2/issues/712


(https://nvd.nist.gov/vuln/detail/CVE-2019-9143):
An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Upstream Reference: https://github.com/Exiv2/exiv2/issues/711



Gentoo Security Padawan
(domhnall)
Comment 1 Andreas Sturmlechner gentoo-dev 2019-03-06 17:59:36 UTC
With media-gfx/exiv2-0.27.0-r2 we are not affected:

$ exiv2 -b -u -k -p R pr
exiv2: Action not available in Release mode: 'R'

Cleanup currently depends on darktable-2.6.0 stabilisation.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-11 04:07:29 UTC
@maintainers, please drop the vulnerable
Comment 3 Michael Palimaka (kensington) gentoo-dev 2019-03-11 06:15:18 UTC
Cleanup done.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-11 06:33:41 UTC
(In reply to Michael Palimaka (kensington) from comment #3)
> Cleanup done.

Thanks, Michael!