Bug 22075

Summary: exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[3-5], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336,17581}
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, marja11, mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: exiv2-0.26-2.2.mga6.src.rpm CVE:
Status comment: Not fixed upstream as of end of 2017
Bug Depends on: 25280    
Bug Blocks:    

Description David Walser 2017-11-23 19:03:47 CET 
CVEs have been assigned for a few security issues in exiv2:
http://openwall.com/lists/oss-security/2017/11/23/2

It appears that fixes for these issues and perhaps some others should be forthcoming as a new developer has taken over upstream.
David Walser 2017-11-23 19:03:57 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-11-23 19:34:31 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => pterjan
CC: (none) => marja11

Comment 2 David Walser 2017-12-28 19:10:51 CET 
No fixes yet, so we won't be able to fix this for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:22:39 CET

Status comment: (none) => Not fixed upstream as of end of 2017

Comment 3 Mike Rambo 2018-04-13 16:01:52 CEST 
FWIW, I have found patches for CVE-2017-1000126 and CVE-2017-1000128. I finally found (been watching this awhile now) where they mentioned CVE-2017-1000127 has been fixed but they did not link any specific patch for the fix. In addition, there are fixes for CVE-2017-14865 and CVE-2017-18005 which I don't think we've picked up plus a single patch which is said to fix CVE-2017-[9953,14858,14861,14863,14866]. The problem is that most of the patches are against their master instead of the 0.26 branch and do not apply to .26. I can force at least some of these to apply but I have no confidence they will work right afterward given some of the changes. AFAICS this might need to wait for 0.27 which they are working to release.

CC: (none) => mrambo

Comment 4 David Walser 2018-04-13 16:23:51 CEST 
See also Bug 22801 and Bug 22871, whose issues might affect this.
Comment 5 David Walser 2018-06-07 20:53:31 CEST 
Fedora has issued an advisory on May 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TSFVKTLL2TM4AYXVBIQOLXGBD7WXAQU/

It fixes a few more CVEs in exiv2.

Summary: exiv2 new security issues CVE-2017-100012[6-8] => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772

Comment 6 David Walser 2018-07-03 23:17:11 CEST 
Ubuntu has issued an advisory today (July 3):
https://usn.ubuntu.com/3700-1/

It fixes several additional issues.

Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772 => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45]

Comment 7 David Walser 2018-08-08 15:12:04 CEST 
Fedora has issued an advisory on August 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HH6QKTBXFX67VYRDSC4O4U34V237UUKC/

It fixes a few more CVEs in exiv2.

Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-17723, CVE-2017-17725, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45] => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144

Comment 8 David Walser 2018-10-23 17:01:48 CEST 
openSUSE has issued an advisory for two of these issues today (October 23):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00129.html
Comment 9 David Walser 2018-12-26 02:49:28 CET 
SUSE has issued an advisory on November 23:
http://lists.suse.com/pipermail/sle-security-updates/2018-November/004884.html

Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144 => exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144

Comment 10 David Walser 2018-12-29 06:02:08 CET 
I believe these fixes are included upstream in 0.27, which is now in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 11 David Walser 2019-01-14 15:40:38 CET 
Ubuntu has issued an advisory for some of these issues and some new ones on January 10:
https://usn.ubuntu.com/3852-1/

Summary: exiv2 new security issues CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144 => exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336,17581}

Comment 12 David Walser 2019-08-12 00:49:27 CEST 
Ubuntu has issued an advisory on July 15:
https://usn.ubuntu.com/4056-1/

Ran out of room in the bug subject.

Adding:
CVE-2018-1910[78], CVE-2018-19535, CVE-2019-1311[0234]

Depends on: (none) => 25280

Comment 13 Marja Van Waes 2019-08-12 13:15:31 CEST 
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package.
CC'ing one more submitter.

CC: (none) => geiger.david68210
Assignee: pterjan => pkg-bugs

Comment 14 David Walser 2019-08-12 21:13:57 CEST 
RedHat has issued an advisory on August 6:
https://access.redhat.com/errata/RHSA-2019:2101

Also adding CVE-2017-17724, CVE-2018-9305, CVE-2018-10772, CVE-2018-11037, CVE-2018-17282, CVE-2018-17581, CVE-2018-18915, CVE-2018-19607, CVE-2018-2009[6-9].

Summary: exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[35], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336,17581} => ,17581} exiv2 new security issues CVE-2017-9239, CVE-2017-100012[6-8], CVE-2017-1772[3-5], CVE-2017-17669, CVE-2018-5772, CVE-2018-10958, CVE-2018-1099[89], CVE-2018-11531, CVE-2018-1226[45], CVE-2018-14046, CVE-2018-897[67], CVE-2018-9144, CVE-2018-{16336

Comment 15 David Walser 2019-10-31 05:06:08 CET 
Mageia 6 is EOL.

Resolution: (none) => OLD
Status: NEW => RESOLVED