Bug 47301

Summary: exiv2: Multiple issues (4.3)
Product: UCS Reporter: Philipp Hahn <hahn>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3    
Version: UCS 4.3   
Target Milestone: UCS 4.3-1-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Description Philipp Hahn univentionstaff 2018-07-04 13:03:26 CEST 
New Debian exiv2 0.25-3.1+deb9u1 fixes:
This update addresses the following issue(s):
* 

This update addresses the following issue(s):
* 
CVE_2017-11591 is open
CVE_2017-11683 is open
CVE_2017-14859 is open
CVE_2017-14862 is open
CVE_2017-14864 is open
CVE_2017-17669 is open
CVE_2017-17723 is open
CVE_2017-17725 is open
CVE_2017-18005 is open
CVE_2017-1000128 is open
CVE_2018-8976 is open
CVE_2018-9144 is open
CVE_2018-9145 is undetermined
CVE_2018-10780 is undetermined
* In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call. (CVE-2018-10958)
* An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call. (CVE-2018-10998)
* An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read. (CVE-2018-10999)
CVE_2018-11037 is open
* Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp. (CVE-2018-11531)
* Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp, leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp. (CVE-2018-12264)
* Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in preview.cpp, leading to an out-of-bounds read in Exiv2::MemIo::read in basicio.cpp. (CVE-2018-12265)

0.25-3.1+deb9u1 (Wed, 27 Jun 2018 08:09:36 -0400)
  * Non-maintainer upload by the Security Team.
  * CVE-2018-10958: denial of service through memory exhaustion and
    application crash by a crafted PNG image.
  * CVE-2018-10999: a heap-based buffer over-read via a crafted PNG image.
  * CVE-2018-10998: denial of service through memory exhaustion and
    application crash by a crafted image.
  * CVE-2018-11531: a heap-based buffer overflow and application crash by a
    crafted image.
  * CVE-2018-12264: integer overflow leading to out of bounds read by a
  * CVE-2018-12265: integer overflow leading to out of bounds read by a
* CVE-2018-10958 exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() (CVE-2018-10958)
* CVE-2018-10998 exiv2: SIGABRT by triggering an incorrect Safe::add call (CVE-2018-10998)
* CVE-2018-10999 exiv2: heap-based buffer over-read in parseTXTChunk function (CVE-2018-10999)
* CVE-2018-11531 exiv2: heap-based buffer overflow in getData in preview.cpp (CVE-2018-11531)
* CVE-2018-12264 exiv2: integer overflow in getData function in preview.cpp (CVE-2018-12264)
* CVE-2018-12265 exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp (CVE-2018-12265)
Comment 1 Philipp Hahn univentionstaff 2018-07-04 13:24:14 CEST 
[4.3-1] 7dff02174e Bug #47301: exiv2 0.25-3.1+deb9u1
 doc/errata/staging/exiv2.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

<http://10.200.17.11/4.3-1/#4074664823671073560>
Comment 2 Arvid Requate univentionstaff 2018-07-04 14:54:13 CEST 
<http://errata.software-univention.de/ucs/4.3/128.html>