Уязвимость CVE-2021-29470: Информация
Описание
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4.
Важность: MEDIUM (6,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
|---|---|---|---|---|---|---|
| exiv2 | sisyphus | 0.27.4-alt1 | 0.28.2-alt1 | ALT-PU-2021-2006-1 | 274534 | Исправлено |
| exiv2 | p10 | 0.27.4-alt1 | 0.27.7-alt2 | ALT-PU-2021-2006-1 | 274534 | Исправлено |
| exiv2 | c10f1 | 0.27.4-alt1 | 0.27.5-alt1 | ALT-PU-2021-2006-1 | 274534 | Исправлено |
| exiv2 | p11 | 0.27.4-alt1 | 0.28.2-alt1 | ALT-PU-2021-2006-1 | 274534 | Исправлено |
Ссылки на рекомендации, решения и инструменты
Ссылка | Ресурс |
|---|---|
| https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj |
|
| https://github.com/Exiv2/exiv2/pull/1581 |
|
| FEDORA-2021-10d7331a31 | |
| FEDORA-2021-2d860da728 | |
| FEDORA-2021-96a5dabcfa | |
| FEDORA-2021-be94728b95 | |
| GLSA-202312-06 |