Vulnerability CVE-2024-39695: Information

Description

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. The bug is fixed in version v0.28.3.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Published: July 8, 2024
Modified: July 9, 2024
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
exiv2sisyphus0.28.3-alt10.28.3-alt1ALT-PU-2024-9724-1352408Fixed
exiv2sisyphus_riscv640.28.3-alt10.28.3-alt1ALT-PU-2024-9753-1-Fixed
exiv2sisyphus_loongarch640.28.3-alt10.28.3-alt1ALT-PU-2024-9758-1-Fixed
exiv2p110.28.3-alt10.28.2-alt1ALT-PU-2024-9734-1352419Testing

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*
      Start including
      0.28.0
      End excliding
      0.28.3