exiv2 - Debian Package Tracker

general

source: exiv2 (main)
version: 0.27.3-3
maintainer: Debian KDE Extras Team (archive) (DMD)
uploaders: Mark Purcell [DMD] – Maximiliano Curia [DMD] – Steve M. Robbins [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 0.25-3.1+deb9u2
old-sec: 0.25-3.1+deb9u1
stable: 0.25-4+deb10u1
testing: 0.27.3-3
unstable: 0.27.3-3

versioned links

0.25-3.1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-3.1+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-4+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.27.3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

exiv2 (7 bugs: 0, 6, 1, 0)
libexiv2-27
libexiv2-dev
libexiv2-doc (1 bugs: 0, 1, 0, 0)

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2021-3482: A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.

Created: 2021-04-06 Last update: 2021-04-13 15:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2021-3482: A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.

Created: 2021-04-06 Last update: 2021-04-13 15:30

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2021-02-03 Last update: 2021-04-19 14:30

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libexiv2-doc could be marked Multi-Arch: foreign
libexiv2-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2021-04-19 10:12

25 low-priority security issues in buster low

There are 25 open security issues in buster.

3 issues left for the package maintainer to handle:

CVE-2019-14370: (needs triaging) In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service.
CVE-2019-17402: (needs triaging) Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
CVE-2021-3482: (needs triaging) A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.

You can find information about how to handle these issues in the security team's documentation.

22 ignored issues:

CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2018-17581: CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.
CVE-2018-19107: In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.
CVE-2018-19108: In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.
CVE-2018-19535: In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.
CVE-2018-20097: There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2019-13108: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.
CVE-2019-13109: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction.
CVE-2019-13110: A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
CVE-2019-13112: A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
CVE-2019-13114: http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
CVE-2019-13504: There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.
CVE-2019-14369: Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file.
CVE-2019-20421: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

Created: 2021-02-19 Last update: 2021-04-13 15:30

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2017-02-25 Last update: 2020-08-09 11:53

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2020-11-17 05:41

news

[rss feed]

[2020-08-14] exiv2 0.27.3-3 MIGRATED to testing (Debian testing watch)
[2020-08-09] Accepted exiv2 0.27.3-3 (source) into unstable (Pino Toscano)
[2020-08-08] Accepted exiv2 0.27.3-2 (source) into unstable (Pino Toscano)
[2020-08-08] Accepted exiv2 0.27.3-1 (source) into unstable (Pino Toscano)
[2020-07-09] Accepted exiv2 0.25-4+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
[2020-07-03] Accepted exiv2 0.25-3.1+deb9u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Roberto C. Sanchez)
[2020-02-04] exiv2 0.27.2-8 MIGRATED to testing (Debian testing watch)
[2020-01-30] Accepted exiv2 0.27.2-8 (source) into unstable (Pino Toscano)
[2020-01-28] Accepted exiv2 0.27.2-7 (source) into unstable (Pino Toscano)
[2020-01-28] Accepted exiv2 0.27.2-6 (source) into unstable (Steve M. Robbins)
[2020-01-26] Accepted exiv2 0.27.2-5 (source) into experimental (Steve M. Robbins)
[2020-01-26] Accepted exiv2 0.27.2-4 (source) into experimental (Steve M. Robbins)
[2019-12-02] Accepted exiv2 0.24-4.1+deb8u5 (source amd64 all) into oldoldstable (Dylan Aïssi)
[2019-11-07] Accepted exiv2 0.27.2-3 (source) into experimental (Steve M. Robbins)
[2019-11-05] Accepted exiv2 0.27.2-2 (source) into experimental (Steve M. Robbins)
[2019-09-15] Accepted exiv2 0.27.2-1 (source amd64 all) into experimental, experimental (Steve M. Robbins)
[2019-07-19] Accepted exiv2 0.24-4.1+deb8u4 (source amd64 all) into oldoldstable (Chris Lamb)
[2019-02-26] Accepted exiv2 0.24-4.1+deb8u3 (source amd64 all) into oldstable (Thorsten Alteholz)
[2018-10-21] Accepted exiv2 0.24-4.1+deb8u2 (source all) into oldstable (Roberto C. Sanchez)
[2018-07-04] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Roberto C. Sanchez)
[2018-07-04] exiv2 0.25-4 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into stable->embargoed, stable (Roberto C. Sanchez)
[2018-06-28] Accepted exiv2 0.25-4 (source) into unstable (Maximiliano Curia)
[2018-06-28] Accepted exiv2 0.24-4.1+deb8u1 (source all) into oldstable (Roberto C. Sanchez)
[2017-10-26] Accepted exiv2 0.23-1+deb7u2 (source amd64 all) into oldoldstable (Raphaël Hertzog)
[2017-07-17] Accepted exiv2 0.26-1 (source amd64 all) into experimental, experimental (Maximiliano Curia)
[2017-06-08] exiv2 0.25-3.1 MIGRATED to testing (Debian testing watch)
[2017-06-05] Accepted exiv2 0.25-3.1 (source amd64 all) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-05-29] Accepted exiv2 0.23-1+deb7u1 (source amd64 all) into oldstable (Emilio Pozuelo Monfort)
[2016-05-24] exiv2 0.25-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 12
RC: 0
I&N: 11
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 44)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.27.3-3ubuntu1
6 bugs
patches for 0.27.3-3ubuntu1