exiv2-0.27.4-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10747 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z exiv2-0.27.4-1.2 on GA media These are all security issues fixed in the exiv2-0.27.4-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10747 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10747 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-6353/ SUSE CVE CVE-2007-6353 page https://www.suse.com/security/cve/CVE-2017-1000128/ SUSE CVE CVE-2017-1000128 page https://www.suse.com/security/cve/CVE-2017-11338/ SUSE CVE CVE-2017-11338 page https://www.suse.com/security/cve/CVE-2017-11340/ SUSE CVE CVE-2017-11340 page https://www.suse.com/security/cve/CVE-2017-11591/ SUSE CVE CVE-2017-11591 page https://www.suse.com/security/cve/CVE-2017-12955/ SUSE CVE CVE-2017-12955 page https://www.suse.com/security/cve/CVE-2017-12957/ SUSE CVE CVE-2017-12957 page https://www.suse.com/security/cve/CVE-2017-14859/ SUSE CVE CVE-2017-14859 page https://www.suse.com/security/cve/CVE-2017-14860/ SUSE CVE CVE-2017-14860 page https://www.suse.com/security/cve/CVE-2017-14862/ SUSE CVE CVE-2017-14862 page https://www.suse.com/security/cve/CVE-2017-14864/ SUSE CVE CVE-2017-14864 page https://www.suse.com/security/cve/CVE-2018-12264/ SUSE CVE CVE-2018-12264 page openSUSE Tumbleweed exiv2-0.27.4-1.2 exiv2-lang-0.27.4-1.2 libexiv2-27-0.27.4-1.2 libexiv2-27-32bit-0.27.4-1.2 libexiv2-devel-0.27.4-1.2 libexiv2-xmp-static-0.27.4-1.2 exiv2-0.27.4-1.2 as a component of openSUSE Tumbleweed exiv2-lang-0.27.4-1.2 as a component of openSUSE Tumbleweed libexiv2-27-0.27.4-1.2 as a component of openSUSE Tumbleweed libexiv2-27-32bit-0.27.4-1.2 as a component of openSUSE Tumbleweed libexiv2-devel-0.27.4-1.2 as a component of openSUSE Tumbleweed libexiv2-xmp-static-0.27.4-1.2 as a component of openSUSE Tumbleweed Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. CVE-2007-6353 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6353.html CVE-2007-6353 https://bugzilla.suse.com/348748 SUSE Bug 348748 https://bugzilla.suse.com/435509 SUSE Bug 435509 Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser CVE-2017-1000128 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000128.html CVE-2017-1000128 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service attack. CVE-2017-11338 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11338.html CVE-2017-11338 https://bugzilla.suse.com/1048883 SUSE Bug 1048883 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is a Segmentation fault in the XmpParser::terminate() function in Exiv2 0.26, related to an exit call. A Crafted input will lead to a remote denial of service attack. CVE-2017-11340 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11340.html CVE-2017-11340 https://bugzilla.suse.com/1048883 SUSE Bug 1048883 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input. CVE-2017-11591 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-11591.html CVE-2017-11591 https://bugzilla.suse.com/1050257 SUSE Bug 1050257 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. The vulnerability causes an out-of-bounds write in Exiv2::Image::printIFDStructure(), which may lead to remote denial of service or possibly unspecified other impact. CVE-2017-12955 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12955.html CVE-2017-12955 https://bugzilla.suse.com/1054593 SUSE Bug 1054593 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that is triggered in the Exiv2::Image::io function in image.cpp. It will lead to remote denial of service. CVE-2017-12957 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12957.html CVE-2017-12957 https://bugzilla.suse.com/1054590 SUSE Bug 1054590 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14859 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14859.html CVE-2017-14859 https://bugzilla.suse.com/1061000 SUSE Bug 1061000 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. CVE-2017-14860 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14860.html CVE-2017-14860 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14862 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14862.html CVE-2017-14862 https://bugzilla.suse.com/1060996 SUSE Bug 1060996 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2017-14864 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14864.html CVE-2017-14864 https://bugzilla.suse.com/1060995 SUSE Bug 1060995 https://bugzilla.suse.com/1061023 SUSE Bug 1061023 https://bugzilla.suse.com/1061025 SUSE Bug 1061025 https://bugzilla.suse.com/1068871 SUSE Bug 1068871 https://bugzilla.suse.com/1080734 SUSE Bug 1080734 Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp, leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp. CVE-2018-12264 openSUSE Tumbleweed:exiv2-0.27.4-1.2 openSUSE Tumbleweed:exiv2-lang-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-devel-0.27.4-1.2 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.4-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12264.html CVE-2018-12264 https://bugzilla.suse.com/1097600 SUSE Bug 1097600