Debian has issued an advisory on August 13: https://www.debian.org/security/2021/dsa-4958 The issue is fixed upstream in 0.27.4.
Status comment: (none) => Fixed upstream in 0.27.4
Ubuntu has issued an advisory on August 17: https://ubuntu.com/security/notices/USN-5043-1 Several more security issues are fixed upstream in 0.27.5.
Summary: exiv2 new security issue CVE-2021-31292 => exiv2 new security issues CVE-2021-31292, CVE-2021-32815, CVE-2021-3433[45], CVE-2021-3761[5689], CVE-2021-3762[0-3]Version: 8 => CauldronStatus comment: Fixed upstream in 0.27.4 => Fixed upstream in 0.27.5Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this on August 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/
The patch for CVE-2021-29458 is also for CVE-2021-31292 so CVE-2021-31292 is already fixed.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when modifying the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fi`. (CVE-2021-32815) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. (CVE-2021-34334) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception (FPE) due to an integer divide by zero was found in Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). (CVE-2021-34335) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). (CVE-2021-37615) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found in Exiv2 versions v0.27.4 and earlier. The null pointer dereference is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the interpreted (translated) data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p t` or `-P t`). (CVE-2021-37616) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). (CVE-2021-37618) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. (CVE-2021-37619) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. (CVE-2021-37620) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). (CVE-2021-37621) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). (CVE-2021-37622) Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). (CVE-2021-37623) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32815 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34334 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34335 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37620 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37621 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37623 https://ubuntu.com/security/notices/USN-5043-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ ======================== Updated packages in core/updates_testing: ======================== exiv2-0.27.3-1.3.mga8 exiv2-doc-0.27.3-1.3.mga8 lib(64)exiv2_27-0.27.3-1.3.mga8 lib(64)exiv2-devel-0.27.3-1.3.mga8 from SRPM: exiv2-0.27.3-1.3.mga8.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 0.27.5 => (none)Assignee: nicolas.salguero => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
mga8, x64 Picked 3 of the CVE reports at random and followed up some links. The upstream reports all seem to follow the same pattern, not providing specific details to reproduce the regressions or vulnerabilities. Those mentioned in the advisory above are too vague for us to use. All four packages installed before updating. Carrying on with this later.
CC: (none) => tarazed25
The four packages updated fine from the local repository. Used tests from bug 29325. Inserted comment string in an image. $ exiv2 -c "Orphan Black" Tatiana.png Read it back: $ exiv2 -pc Tatiana.png Orphan Black $ strace -o thumb.trace gthumb Selected a Pictures directory and browsed files; examined metadata like RGB profiles. $ grep exiv2 thumb.trace openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 26 openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 25 openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 25 stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=156248, ...}) = 0 Ran strace on darktable, modified metadata (title and description) $ grep exiv2 dark.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3 Good enough.
Whiteboard: (none) => MGA8-64-OK
Validating. Extensive advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0415.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED