Lucene search

K
archlinux
ArchLinuxASA-202106-54
HistoryJun 22, 2021 - 12:00 a.m.

[ASA-202106-54] exiv2: multiple issues

2021-06-2200:00:00
security.archlinux.org
165

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.0%

Arch Linux Security Advisory ASA-202106-54

Severity: Low
Date : 2021-06-22
CVE-ID : CVE-2021-3482 CVE-2021-29457 CVE-2021-29458 CVE-2021-29463
CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623
CVE-2021-32617
Package : exiv2
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1772

Summary

The package exiv2 before version 0.27.4-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.

Resolution

Upgrade to 0.27.4-1.

pacman -Syu “exiv2>=0.27.4-1”

The problems have been fixed upstream in version 0.27.4.

Workaround

None.

Description

  • CVE-2021-3482 (arbitrary code execution)

A security issue was found in Exiv2 in versions before version 0.27.4.
Improper input validation of the rawData.size property in
Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based
buffer overflow via a crafted JPG image containing malicious EXIF data.
An attacker could potentially exploit the vulnerability to gain code
execution, if they can trick the victim into running Exiv2 on a crafted
image file.

  • CVE-2021-29457 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29458 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29463 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29464 (arbitrary code execution)

A heap buffer overflow was found in Exiv2 before version 0.27.4. The
heap overflow is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to gain code execution, if they can trick the victim into
running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29470 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. The
out-of-bounds read is triggered when Exiv2 is used to write metadata
into a crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29473 (denial of service)

An out-of-bounds read was found in Exiv2 before version 0.27.4. An
attacker could potentially exploit the vulnerability to cause a denial
of service by crashing Exiv2, if they can trick the victim into running
Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as insert.

  • CVE-2021-29623 (information disclosure)

A read of uninitialized memory was found in Exiv2 before version
0.27.4. The read of uninitialized memory is triggered when Exiv2 is
used to read the metadata of a crafted image file. An attacker could
potentially exploit the vulnerability to leak a few bytes of stack
memory, if they can trick the victim into running Exiv2 on a crafted
image file.

  • CVE-2021-32617 (denial of service)

An inefficient algorithm (quadratic complexity) was found in Exiv2
before version 0.27.4. The inefficient algorithm is triggered when
Exiv2 is used to write metadata into a crafted image file. An attacker
could potentially exploit the vulnerability to cause a denial of
service, if they can trick the victim into running Exiv2 on a crafted
image file.

Note that this bug is only triggered when writing the metadata, which
is a less frequently used Exiv2 operation than reading the metadata.
For example, to trigger the bug in the Exiv2 command-line application,
you need to add an extra command-line argument such as rm.

Impact

Reading or writing EXIF metadata of a crafted image file could lead to
arbitrary code execution.

References

https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9
https://github.com/Exiv2/exiv2/issues/1522
https://github.com/Exiv2/exiv2/pull/1523
https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da
https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
https://github.com/Exiv2/exiv2/issues/1529
https://github.com/Exiv2/exiv2/pull/1534
https://github.com/Exiv2/exiv2/commit/13e5a3e02339b746abcaee6408893ca2fd8e289d
https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
https://github.com/Exiv2/exiv2/issues/1530
https://github.com/Exiv2/exiv2/pull/1536
https://github.com/Exiv2/exiv2/pull/1539
https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0
https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr
https://github.com/Exiv2/exiv2/pull/1577
https://github.com/Exiv2/exiv2/commit/d639e45c2cdc18b9b49b1307c6e4315277fa8cc4
https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
https://github.com/Exiv2/exiv2/pull/1576
https://github.com/Exiv2/exiv2/commit/0357f341e43f6e14123f227946574231ba379637
https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj
https://github.com/Exiv2/exiv2/pull/1581
https://github.com/Exiv2/exiv2/commit/f6ee71526eef5649a529ac6da3f2843e3b63e227
https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2
https://github.com/Exiv2/exiv2/pull/1587
https://github.com/Exiv2/exiv2/commit/e6a0982f7cd9282052b6e3485a458d60629ffa0b
https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
https://github.com/Exiv2/exiv2/pull/1627
https://github.com/Exiv2/exiv2/commit/0f9eb74c44c908e170a64cab590949d53749af8e
https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
https://github.com/Exiv2/exiv2/pull/1657
https://github.com/Exiv2/exiv2/commit/c261fbaa2567687eec6a595d3016212fd6ae648d
https://security.archlinux.org/CVE-2021-3482
https://security.archlinux.org/CVE-2021-29457
https://security.archlinux.org/CVE-2021-29458
https://security.archlinux.org/CVE-2021-29463
https://security.archlinux.org/CVE-2021-29464
https://security.archlinux.org/CVE-2021-29470
https://security.archlinux.org/CVE-2021-29473
https://security.archlinux.org/CVE-2021-29623
https://security.archlinux.org/CVE-2021-32617

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyexiv2< 0.27.4-1UNKNOWN

References

Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.0%

Related for ASA-202106-54