RedHat has issued an advisory today (April 28): https://access.redhat.com/errata/RHSA-2020:1577 The issue is fixed upstream in 0.27.2.
Suggested advisory: ======================== The updated packages fix a security vulnerability: A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file. (CVE-2019-13111) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13111 https://access.redhat.com/errata/RHSA-2020:1577 ======================== Updated packages in core/updates_testing: ======================== exiv2-0.27.1-3.4.mga7 lib(64)exiv2_27-0.27.1-3.4.mga7 lib(64)exiv2-devel-0.27.1-3.4.mga7 exiv2-doc-0.27.1-3.4.mga7 from SRPMS: exiv2-0.27.1-3.4.mga7.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2019-13111Assignee: nicolas.salguero => qa-bugs
mga7, x86_64 $ rpm -qa | grep exiv2 exiv2-0.27.1-3.3.mga7 lib64exiv2_27-0.27.1-3.3.mga7 lib64gexiv2_2-0.12.0-3.mga7 lib64kf5exiv2_5-19.04.0-2.mga7 CVE-2019-13111 https://github.com/Exiv2/exiv2/issues/791 Downloaded the test image and renamed it to something more manageable. $ time exiv2 poc1.jpg File name : poc1.jpg File size : 28 Bytes MIME type : image/webp Image size : 0 x 0 poc1.jpg: No Exif data found in the file real 0m41.758s user 0m40.012s sys 0m1.732s $ ulimit -v 4000000 $ exiv2 poc1.jpg Uncaught exception: std::bad_alloc Updated the packages listed on the bug. $ time exiv2 poc1.jpg Exiv2 exception in print action for file poc1.jpg: corrupted image metadata real 0m0.007s user 0m0.002s sys 0m0.005s <Immediate return> $ exiv2 poc1.jpg Exiv2 exception in print action for file poc1.jpg: corrupted image metadata The fix is confirmed. Referring to https://bugs.mageia.org/show_bug.cgi?id=26171 for testing hints. $ exiv2 -c "QA exiv2 test" SaturnColors_CassiniSchmidt.jpg $ strings SaturnColors_CassiniSchmidt.jpg | grep QA QA exiv2 test $ exiv2 -pc SaturnColors_CassiniSchmidt.jpg | grep QA QA exiv2 test $ strace -o thumb.trace gthumb . $ grep exiv2 thumb.trace openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 25 openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 24 openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 24 stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=148064, ...}) = 0 $ strace -o dark.trace darktable $ grep exiv2 dark.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libexiv2.so.0.27.1", O_RDONLY) = 3 Good enough - no regressions.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0196.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED