(https://nvd.nist.gov/vuln/detail/CVE-2019-9144): An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. Upstream Reference: https://github.com/Exiv2/exiv2/issues/712 (https://nvd.nist.gov/vuln/detail/CVE-2019-9143): An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. Upstream Reference: https://github.com/Exiv2/exiv2/issues/711 Gentoo Security Padawan (domhnall)
With media-gfx/exiv2-0.27.0-r2 we are not affected: $ exiv2 -b -u -k -p R pr exiv2: Action not available in Release mode: 'R' Cleanup currently depends on darktable-2.6.0 stabilisation.
@maintainers, please drop the vulnerable
Cleanup done.
(In reply to Michael Palimaka (kensington) from comment #3) > Cleanup done. Thanks, Michael!
CVE-2018-19535 (https://github.com/Exiv2/exiv2/issues/428): In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file. CVE-2018-19108 (https://github.com/Exiv2/exiv2/issues/426): In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file. CVE-2018-17581 (https://github.com/Exiv2/exiv2/issues/460): CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.
