Register | Log in

exiv2

EXIF/IPTC/XMP metadata manipulation tool

Choose email to subscribe with

general

source: exiv2 (main)
version: 0.27.2-8
maintainer: Debian KDE Extras Team (archive) (DMD)
uploaders: Mark Purcell [DMD] – Maximiliano Curia [DMD] – Steve M. Robbins [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.24-4.1
o-o-sec: 0.24-4.1+deb8u5
oldstable: 0.25-3.1+deb9u1
old-sec: 0.25-3.1+deb9u1
stable: 0.25-4
testing: 0.27.2-8
unstable: 0.27.2-8

versioned links

0.24-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.24-4.1+deb8u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-3.1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.25-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.27.2-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

exiv2 (5 bugs: 0, 5, 0, 0)
libexiv2-27
libexiv2-dev
libexiv2-doc (1 bugs: 0, 1, 0, 0)

action needed

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2019-17402: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

Please fix it.

Created: 2019-07-07 Last update: 2020-02-07 09:36

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2019-17402: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

Please fix it.

Created: 2017-07-17 Last update: 2020-02-07 09:36

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libexiv2-doc could be marked Multi-Arch: foreign
libexiv2-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2020-02-21 09:00

25 ignored security issues in buster low

There are 25 open security issues in buster.

25 issues skipped by the security teams:

CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2019-20421: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2018-16336: Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999.
CVE-2018-17581: CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.
CVE-2018-19535: In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.
CVE-2018-20097: There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.
CVE-2019-13114: http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
CVE-2019-13112: A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
CVE-2019-13504: There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.
CVE-2019-13110: A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2019-13109: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction.
CVE-2019-13108: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.
CVE-2019-17402: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2018-19107: In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.
CVE-2018-19108: In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.
CVE-2019-14369: Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
CVE-2019-14370: In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.

Please fix them.

Created: 2017-07-17 Last update: 2020-02-07 09:36

12 ignored security issues in jessie low

There are 12 open security issues in jessie.

12 issues skipped by the security teams:

CVE-2019-20421: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2017-9239: An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentation fault. To exploit this vulnerability, someone must open a crafted tiff file.
CVE-2019-13112: A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
CVE-2019-13110: A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.

Please fix them.

Created: 2017-05-26 Last update: 2020-02-07 09:36

25 ignored security issues in stretch low

There are 25 open security issues in stretch.

25 issues skipped by the security teams:

CVE-2018-11037: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp allows remote attackers to cause an information leak via a crafted file.
CVE-2019-20421: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.
CVE-2018-16336: Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999.
CVE-2018-17581: CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.
CVE-2018-19535: In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.
CVE-2018-20097: There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups of tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.
CVE-2019-13114: http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
CVE-2019-13112: A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.
CVE-2019-13504: There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.
CVE-2019-13110: A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-14864: An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2019-13109: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction.
CVE-2019-13108: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.
CVE-2019-17402: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.
CVE-2018-19107: In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.
CVE-2018-19108: In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.
CVE-2019-14369: Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file.
CVE-2018-9144: In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. It could result in denial of service or information disclosure.
CVE-2017-18005: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
CVE-2019-14370: In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in denial of service.
CVE-2018-8976: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.

Please fix them.

Created: 2017-07-17 Last update: 2020-02-07 09:36

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2017-02-25 Last update: 2020-01-28 15:34

news

[2020-02-04] exiv2 0.27.2-8 MIGRATED to testing (Debian testing watch)
[2020-01-30] Accepted exiv2 0.27.2-8 (source) into unstable (Debian FTP Masters) (signed by: Pino Toscano)
[2020-01-28] Accepted exiv2 0.27.2-7 (source) into unstable (Pino Toscano)
[2020-01-28] Accepted exiv2 0.27.2-6 (source) into unstable (Steve M. Robbins)
[2020-01-26] Accepted exiv2 0.27.2-5 (source) into experimental (Steve M. Robbins)
[2020-01-26] Accepted exiv2 0.27.2-4 (source) into experimental (Steve M. Robbins)
[2019-12-02] Accepted exiv2 0.24-4.1+deb8u5 (source amd64 all) into oldoldstable (Dylan Aïssi)
[2019-11-07] Accepted exiv2 0.27.2-3 (source) into experimental (Steve M. Robbins)
[2019-11-05] Accepted exiv2 0.27.2-2 (source) into experimental (Steve M. Robbins)
[2019-09-15] Accepted exiv2 0.27.2-1 (source amd64 all) into experimental, experimental (Steve M. Robbins)
[2019-07-19] Accepted exiv2 0.24-4.1+deb8u4 (source amd64 all) into oldoldstable (Chris Lamb)
[2019-02-26] Accepted exiv2 0.24-4.1+deb8u3 (source amd64 all) into oldstable (Thorsten Alteholz)
[2018-10-21] Accepted exiv2 0.24-4.1+deb8u2 (source all) into oldstable (Roberto C. Sanchez)
[2018-07-04] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Roberto C. Sanchez)
[2018-07-04] exiv2 0.25-4 MIGRATED to testing (Debian testing watch)
[2018-07-03] Accepted exiv2 0.25-3.1+deb9u1 (source amd64 all) into stable->embargoed, stable (Roberto C. Sanchez)
[2018-06-28] Accepted exiv2 0.25-4 (source) into unstable (Maximiliano Curia)
[2018-06-28] Accepted exiv2 0.24-4.1+deb8u1 (source all) into oldstable (Roberto C. Sanchez)
[2017-10-26] Accepted exiv2 0.23-1+deb7u2 (source amd64 all) into oldoldstable (Raphaël Hertzog)
[2017-07-17] Accepted exiv2 0.26-1 (source amd64 all) into experimental, experimental (Maximiliano Curia)
[2017-06-08] exiv2 0.25-3.1 MIGRATED to testing (Debian testing watch)
[2017-06-05] Accepted exiv2 0.25-3.1 (source amd64 all) into unstable (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2017-05-29] Accepted exiv2 0.23-1+deb7u1 (source amd64 all) into oldstable (Emilio Pozuelo Monfort)
[2016-05-24] exiv2 0.25-3 MIGRATED to testing (Debian testing watch)
[2016-05-18] Accepted exiv2 0.25-3 (source) into unstable (Norbert Preining) (signed by: Maximiliano Curia)
[2015-10-13] exiv2 0.25-2.1 MIGRATED to testing (Britney)
[2015-10-08] Accepted exiv2 0.25-2.1 (source amd64 all) into unstable (YunQiang Su)
[2015-09-06] exiv2 0.25-2 MIGRATED to testing (Britney)
[2015-08-06] Accepted exiv2 0.25-2 (source amd64 all) into unstable (Maximiliano Curia)
[2015-08-05] Accepted exiv2 0.25-1 (source amd64 all) into unstable, unstable (Maximiliano Curia)

1
2

bugs [bug history graph]

all: 11
RC: 0
I&N: 11
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.27.2-8ubuntu2
5 bugs
patches for 0.27.2-8ubuntu2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing