exiv2: CVE-2021-32815

Related Vulnerabilities: CVE-2021-32815  

Debian Bug report logs - #992705
exiv2: CVE-2021-32815

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 22 Aug 2021 15:21:02 UTC

Severity: important

Tags: security, upstream

Found in version exiv2/0.27.3-3

Forwarded to https://github.com/Exiv2/exiv2/pull/1739

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#992705; Package src:exiv2. (Sun, 22 Aug 2021 15:21:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Sun, 22 Aug 2021 15:21:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exiv2: CVE-2021-32815
Date: Sun, 22 Aug 2021 17:18:50 +0200
Source: exiv2
Version: 0.27.3-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/Exiv2/exiv2/pull/1739
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for exiv2.

CVE-2021-32815[0]:
| Exiv2 is a command-line utility and C++ library for reading, writing,
| deleting, and modifying the metadata of image files. The assertion
| failure is triggered when Exiv2 is used to modify the metadata of a
| crafted image file. An attacker could potentially exploit the
| vulnerability to cause a denial of service, if they can trick the
| victim into running Exiv2 on a crafted image file. Note that this bug
| is only triggered when modifying the metadata, which is a less
| frequently used Exiv2 operation than reading the metadata. For
| example, to trigger the bug in the Exiv2 command-line application, you
| need to add an extra command-line argument such as `fi`. ### Patches
| The bug is fixed in version v0.27.5. ### References Regression test
| and bug fix: #1739 ### For more information Please see our [security
| policy](https://github.com/Exiv2/exiv2/security/policy) for
| information about Exiv2 security.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32815
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32815
[1] https://github.com/Exiv2/exiv2/pull/1739
[2] https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh4-m49m

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Aug 23 08:34:00 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.