exiv2-0.27.5-4.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12399 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z exiv2-0.27.5-4.1 on GA media These are all security issues fixed in the exiv2-0.27.5-4.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12399 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12399 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-1000126/ SUSE CVE CVE-2017-1000126 page https://www.suse.com/security/cve/CVE-2017-9239/ SUSE CVE CVE-2017-9239 page https://www.suse.com/security/cve/CVE-2018-17229/ SUSE CVE CVE-2018-17229 page https://www.suse.com/security/cve/CVE-2018-17230/ SUSE CVE CVE-2018-17230 page https://www.suse.com/security/cve/CVE-2018-17282/ SUSE CVE CVE-2018-17282 page https://www.suse.com/security/cve/CVE-2018-19108/ SUSE CVE CVE-2018-19108 page https://www.suse.com/security/cve/CVE-2018-19607/ SUSE CVE CVE-2018-19607 page https://www.suse.com/security/cve/CVE-2018-9305/ SUSE CVE CVE-2018-9305 page https://www.suse.com/security/cve/CVE-2019-13114/ SUSE CVE CVE-2019-13114 page openSUSE Tumbleweed exiv2-0.27.5-4.1 exiv2-lang-0.27.5-4.1 libexiv2-27-0.27.5-4.1 libexiv2-27-32bit-0.27.5-4.1 libexiv2-devel-0.27.5-4.1 libexiv2-xmp-static-0.27.5-4.1 exiv2-0.27.5-4.1 as a component of openSUSE Tumbleweed exiv2-lang-0.27.5-4.1 as a component of openSUSE Tumbleweed libexiv2-27-0.27.5-4.1 as a component of openSUSE Tumbleweed libexiv2-27-32bit-0.27.5-4.1 as a component of openSUSE Tumbleweed libexiv2-devel-0.27.5-4.1 as a component of openSUSE Tumbleweed libexiv2-xmp-static-0.27.5-4.1 as a component of openSUSE Tumbleweed exiv2 0.26 contains a Stack out of bounds read in webp parser CVE-2017-1000126 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000126.html CVE-2017-1000126 https://bugzilla.suse.com/1068873 SUSE Bug 1068873 An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentation fault. To exploit this vulnerability, someone must open a crafted tiff file. CVE-2017-9239 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-9239.html CVE-2017-9239 https://bugzilla.suse.com/1040973 SUSE Bug 1040973 Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file. CVE-2018-17229 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17229.html CVE-2018-17229 https://bugzilla.suse.com/1109175 SUSE Bug 1109175 https://bugzilla.suse.com/1109176 SUSE Bug 1109176 Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file. CVE-2018-17230 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17230.html CVE-2018-17230 https://bugzilla.suse.com/1109176 SUSE Bug 1109176 An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference. CVE-2018-17282 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17282.html CVE-2018-17282 https://bugzilla.suse.com/1109299 SUSE Bug 1109299 In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file. CVE-2018-19108 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19108.html CVE-2018-19108 https://bugzilla.suse.com/1115364 SUSE Bug 1115364 Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. CVE-2018-19607 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19607.html CVE-2018-19607 https://bugzilla.suse.com/1117513 SUSE Bug 1117513 In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in iptc.c could result in a crash or information leak, related to the "== 0x1c" case. CVE-2018-9305 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-9305.html CVE-2018-9305 https://bugzilla.suse.com/1088424 SUSE Bug 1088424 http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character. CVE-2019-13114 openSUSE Tumbleweed:exiv2-0.27.5-4.1 openSUSE Tumbleweed:exiv2-lang-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-27-32bit-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-devel-0.27.5-4.1 openSUSE Tumbleweed:libexiv2-xmp-static-0.27.5-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13114.html CVE-2019-13114 https://bugzilla.suse.com/1142684 SUSE Bug 1142684