Opened 21 months ago

Closed 21 months ago

Last modified 18 months ago

#15052 closed enhancement (fixed)

exiv2-0.27.3 security fixes.

Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Today on lwn.net I noticed that fedora had patched exiv2 for 5 CVEs (two heap-based buffer overflows, three out of bounds reads). NVD rates three as medium, one as low, but one as high - both the low and the high severity require writing the metadata, which is not a common operation.

The patches have been applied to the 0.27 maintenance branch, but although at least one of the CVEs said it has been fixed in 0.27.4 that has not yet been released.

Change History (5)

comment:1 by ken@…, 21 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

in reply to:  description comment:2 by Bruce Dubbs, 21 months ago

Replying to ken@…:

The patches have been applied to the 0.27 maintenance branch, but although at least one of the CVEs said it has been fixed in 0.27.4 that has not yet been released.

Yes, we wonder why a new release has not been made. The last release was 2020-06-30.

comment:3 by ken@…, 21 months ago

Fixed in @f7c3c7b36675e94308470bd32efcaf935504d52e

Security Advisory 10.1-046.

comment:4 by ken@…, 21 months ago

Resolution: fixed
Status: assignedclosed

comment:5 by Bruce Dubbs, 18 months ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.