[gentoo-announce] [ GLSA 201811-14 ] Exiv2: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201811-14 ] Exiv2: Multiple vulnerabilities
Date:	Sat, 24 Nov 2018 21:48:21
Message-Id:	`20181124214522.GG17300@monkey`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201811-14

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Exiv2: Multiple vulnerabilities

9

     Date: November 24, 2018

10

     Bugs: #647810, #647812, #647816, #652822, #655842, #655958, #658236

11

       ID: 201811-14

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Exiv2, the worst of which

19

could result in a Denial of Service condition.

20

21

Background

22

==========

23

24

Exiv2 is a C++ library and a command line utility to manage image

25

metadata.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  media-gfx/exiv2        < 0.26_p20180811-r3  >= 0.26_p20180811-r3 

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Exiv2. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker could cause a Denial of Service condition or obtain

45

sensitive information via a specially crafted file.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All Exiv2 users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot -v ">=media-gfx/exiv2-0.26_p20180811-r3"

59

60

References

61

==========

62

63

[  1 ] CVE-2017-17723

64

       https://nvd.nist.gov/vuln/detail/CVE-2017-17723

65

[  2 ] CVE-2017-17724

66

       https://nvd.nist.gov/vuln/detail/CVE-2017-17724

67

[  3 ] CVE-2018-10780

68

       https://nvd.nist.gov/vuln/detail/CVE-2018-10780

69

[  4 ] CVE-2018-10958

70

       https://nvd.nist.gov/vuln/detail/CVE-2018-10958

71

[  5 ] CVE-2018-10998

72

       https://nvd.nist.gov/vuln/detail/CVE-2018-10998

73

[  6 ] CVE-2018-10999

74

       https://nvd.nist.gov/vuln/detail/CVE-2018-10999

75

[  7 ] CVE-2018-11037

76

       https://nvd.nist.gov/vuln/detail/CVE-2018-11037

77

[  8 ] CVE-2018-11531

78

       https://nvd.nist.gov/vuln/detail/CVE-2018-11531

79

[  9 ] CVE-2018-12264

80

       https://nvd.nist.gov/vuln/detail/CVE-2018-12264

81

[ 10 ] CVE-2018-12265

82

       https://nvd.nist.gov/vuln/detail/CVE-2018-12265

83

[ 11 ] CVE-2018-5772

84

       https://nvd.nist.gov/vuln/detail/CVE-2018-5772

85

[ 12 ] CVE-2018-8976

86

       https://nvd.nist.gov/vuln/detail/CVE-2018-8976

87

[ 13 ] CVE-2018-8977

88

       https://nvd.nist.gov/vuln/detail/CVE-2018-8977

89

[ 14 ] CVE-2018-9144

90

       https://nvd.nist.gov/vuln/detail/CVE-2018-9144

91

[ 15 ] CVE-2018-9145

92

       https://nvd.nist.gov/vuln/detail/CVE-2018-9145

93

[ 16 ] CVE-2018-9146

94

       https://nvd.nist.gov/vuln/detail/CVE-2018-9146

95

[ 17 ] CVE-2018-9303

96

       https://nvd.nist.gov/vuln/detail/CVE-2018-9303

97

[ 18 ] CVE-2018-9304

98

       https://nvd.nist.gov/vuln/detail/CVE-2018-9304

99

[ 19 ] CVE-2018-9305

100

       https://nvd.nist.gov/vuln/detail/CVE-2018-9305

101

[ 20 ] CVE-2018-9306

102

       https://nvd.nist.gov/vuln/detail/CVE-2018-9306

103

104

Availability

105

============

106

107

This GLSA and any updates to it are available for viewing at

108

the Gentoo Security Website:

109

110

 https://security.gentoo.org/glsa/201811-14

111

112

Concerns?

113

=========

114

115

Security is a primary focus of Gentoo Linux and ensuring the

116

confidentiality and security of our users' machines is of utmost

117

importance to us. Any security concerns should be addressed to

118

security@g.o or alternatively, you may file a bug at

119

https://bugs.gentoo.org.

120

121

License

122

=======

123

124

Copyright 2018 Gentoo Foundation, Inc; referenced text

125

belongs to its owner(s).

126

127

The contents of this document are licensed under the

128

Creative Commons - Attribution / Share Alike license.

129

130

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201811-14
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Exiv2: Multiple vulnerabilities
9	Date: November 24, 2018
10	Bugs: #647810, #647812, #647816, #652822, #655842, #655958, #658236
11	ID: 201811-14
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Exiv2, the worst of which
19	could result in a Denial of Service condition.
20
21	Background
22	==========
23
24	Exiv2 is a C++ library and a command line utility to manage image
25	metadata.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 media-gfx/exiv2 < 0.26_p20180811-r3 >= 0.26_p20180811-r3
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Exiv2. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker could cause a Denial of Service condition or obtain
45	sensitive information via a specially crafted file.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All Exiv2 users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot -v ">=media-gfx/exiv2-0.26_p20180811-r3"
59
60	References
61	==========
62
63	[ 1 ] CVE-2017-17723
64	https://nvd.nist.gov/vuln/detail/CVE-2017-17723
65	[ 2 ] CVE-2017-17724
66	https://nvd.nist.gov/vuln/detail/CVE-2017-17724
67	[ 3 ] CVE-2018-10780
68	https://nvd.nist.gov/vuln/detail/CVE-2018-10780
69	[ 4 ] CVE-2018-10958
70	https://nvd.nist.gov/vuln/detail/CVE-2018-10958
71	[ 5 ] CVE-2018-10998
72	https://nvd.nist.gov/vuln/detail/CVE-2018-10998
73	[ 6 ] CVE-2018-10999
74	https://nvd.nist.gov/vuln/detail/CVE-2018-10999
75	[ 7 ] CVE-2018-11037
76	https://nvd.nist.gov/vuln/detail/CVE-2018-11037
77	[ 8 ] CVE-2018-11531
78	https://nvd.nist.gov/vuln/detail/CVE-2018-11531
79	[ 9 ] CVE-2018-12264
80	https://nvd.nist.gov/vuln/detail/CVE-2018-12264
81	[ 10 ] CVE-2018-12265
82	https://nvd.nist.gov/vuln/detail/CVE-2018-12265
83	[ 11 ] CVE-2018-5772
84	https://nvd.nist.gov/vuln/detail/CVE-2018-5772
85	[ 12 ] CVE-2018-8976
86	https://nvd.nist.gov/vuln/detail/CVE-2018-8976
87	[ 13 ] CVE-2018-8977
88	https://nvd.nist.gov/vuln/detail/CVE-2018-8977
89	[ 14 ] CVE-2018-9144
90	https://nvd.nist.gov/vuln/detail/CVE-2018-9144
91	[ 15 ] CVE-2018-9145
92	https://nvd.nist.gov/vuln/detail/CVE-2018-9145
93	[ 16 ] CVE-2018-9146
94	https://nvd.nist.gov/vuln/detail/CVE-2018-9146
95	[ 17 ] CVE-2018-9303
96	https://nvd.nist.gov/vuln/detail/CVE-2018-9303
97	[ 18 ] CVE-2018-9304
98	https://nvd.nist.gov/vuln/detail/CVE-2018-9304
99	[ 19 ] CVE-2018-9305
100	https://nvd.nist.gov/vuln/detail/CVE-2018-9305
101	[ 20 ] CVE-2018-9306
102	https://nvd.nist.gov/vuln/detail/CVE-2018-9306
103
104	Availability
105	============
106
107	This GLSA and any updates to it are available for viewing at
108	the Gentoo Security Website:
109
110	https://security.gentoo.org/glsa/201811-14
111
112	Concerns?
113	=========
114
115	Security is a primary focus of Gentoo Linux and ensuring the
116	confidentiality and security of our users' machines is of utmost
117	importance to us. Any security concerns should be addressed to
118	security@g.o or alternatively, you may file a bug at
119	https://bugs.gentoo.org.
120
121	License
122	=======
123
124	Copyright 2018 Gentoo Foundation, Inc; referenced text
125	belongs to its owner(s).
126
127	The contents of this document are licensed under the
128	Creative Commons - Attribution / Share Alike license.
129
130	https://creativecommons.org/licenses/by-sa/2.5