According to the versions of the exiv2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19107)
In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19108)
There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20097)
Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file.(CVE-2019-13113)
A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.(CVE-2019-13112)
A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.(CVE-2019-13110)
Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.(CVE-2017-18005)
An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentation fault. To exploit this vulnerability, someone must open a crafted tiff file.(CVE-2017-9239)
In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call.(CVE-2018-10958)
An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read.(CVE-2018-10999)
An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call.(CVE-2018-10998)
There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.(CVE-2017-11591)
There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.(CVE-2017-11683)
An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14859)
An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14862)
An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14864)
There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.(CVE-2017-17669)
CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.(CVE-2018-17581)
In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.(CVE-2018-19535)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(131867);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/04");
script_cve_id(
"CVE-2017-11591",
"CVE-2017-11683",
"CVE-2017-14859",
"CVE-2017-14862",
"CVE-2017-14864",
"CVE-2017-17669",
"CVE-2017-18005",
"CVE-2017-9239",
"CVE-2018-10958",
"CVE-2018-10998",
"CVE-2018-10999",
"CVE-2018-17581",
"CVE-2018-19107",
"CVE-2018-19108",
"CVE-2018-19535",
"CVE-2018-20097",
"CVE-2019-13110",
"CVE-2019-13112",
"CVE-2019-13113"
);
script_name(english:"EulerOS 2.0 SP2 : exiv2 (EulerOS-SA-2019-2375)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the exiv2 package installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :
- In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp
(called from psdimage.cpp in the PSD image reader) may
suffer from a denial of service (heap-based buffer
over-read) caused by an integer overflow via a crafted
PSD image file.(CVE-2018-19107)
- In Exiv2 0.26, Exiv2::PsdImage::readMetadata in
psdimage.cpp in the PSD image reader may suffer from a
denial of service (infinite loop) caused by an integer
overflow via a crafted PSD image file.(CVE-2018-19108)
- There is a SEGV in
Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input
will lead to a remote denial of service
attack.(CVE-2018-20097)
- Exiv2 through 0.27.1 allows an attacker to cause a
denial of service (crash due to assertion failure) via
an invalid data location in a CRW image
file.(CVE-2019-13113)
- A PngChunk::parseChunkContent uncontrolled memory
allocation in Exiv2 through 0.27.1 allows an attacker
to cause a denial of service (crash due to an
std::bad_alloc exception) via a crafted PNG image
file.(CVE-2019-13112)
- A CiffDirectory::readDirectory integer overflow and
out-of-bounds read in Exiv2 through 0.27.1 allows an
attacker to cause a denial of service (SIGSEGV) via a
crafted CRW image file.(CVE-2019-13110)
- Exiv2 0.26 has a Null Pointer Dereference in the
Exiv2::DataValue::toLong function in value.cpp, related
to crafted metadata in a TIFF file.(CVE-2017-18005)
- An issue was discovered in Exiv2 0.26. When the data
structure of the structure ifd is incorrect, the
program assigns pValue_ to 0x0, and the value of
pValue() is 0x0. TiffImageEntry::doWriteImage will use
the value of pValue() to cause a segmentation fault. To
exploit this vulnerability, someone must open a crafted
tiff file.(CVE-2017-9239)
- In types.cpp in Exiv2 0.26, a large size value may lead
to a SIGABRT during an attempt at memory allocation for
an Exiv2::Internal::PngChunk::zlibUncompress
call.(CVE-2018-10958)
- An issue was discovered in Exiv2 0.26. The
Exiv2::Internal::PngChunk::parseTXTChunk function has a
heap-based buffer over-read.(CVE-2018-10999)
- An issue was discovered in Exiv2 0.26. readMetadata in
jp2image.cpp allows remote attackers to cause a denial
of service (SIGABRT) by triggering an incorrect
Safe::add call.(CVE-2018-10998)
- There is a Floating point exception in the
Exiv2::ValueType function in Exiv2 0.26 that will lead
to a remote denial of service attack via crafted
input.(CVE-2017-11591)
- There is a reachable assertion in the
Internal::TiffReader::visitDirectory function in
tiffvisitor.cpp of Exiv2 0.26 that will lead to a
remote denial of service attack via crafted
input.(CVE-2017-11683)
- An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp in Exiv2
0.26. The vulnerability causes a segmentation fault and
application crash, which leads to denial of
service.(CVE-2017-14859)
- An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The
vulnerability causes a segmentation fault and
application crash, which leads to denial of
service.(CVE-2017-14862)
- An Invalid memory address dereference was discovered in
Exiv2::getULong in types.cpp in Exiv2 0.26. The
vulnerability causes a segmentation fault and
application crash, which leads to denial of
service.(CVE-2017-14864)
- There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of
pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will
lead to a remote denial of service
attack.(CVE-2017-17669)
- CiffDirectory::readDirectory() at crwimage_int.cpp in
Exiv2 0.26 has excessive stack consumption due to a
recursive function, leading to Denial of
service.(CVE-2018-17581)
- In Exiv2 0.26 and previous versions,
PngChunk::readRawProfile in pngchunk_int.cpp may cause
a denial of service (application crash due to a
heap-based buffer over-read) via a crafted PNG
file.(CVE-2018-19535)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2375
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2363d7df");
script_set_attribute(attribute:"solution", value:
"Update the affected exiv2 packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-11591");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:exiv2-libs");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["exiv2-libs-0.23-6.h4"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11591
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11683
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17669
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18005
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10958
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10998
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10999
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17581
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19107
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19108
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19535
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13110
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13112
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13113
www.nessus.org/u?2363d7df