Opened 5 weeks ago

Closed 5 weeks ago

#15052 closed enhancement (fixed)

exiv2-0.27.3 security fixes.

Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 10.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Today on lwn.net I noticed that fedora had patched exiv2 for 5 CVEs (two heap-based buffer overflows, three out of bounds reads). NVD rates three as medium, one as low, but one as high - both the low and the high severity require writing the metadata, which is not a common operation.

The patches have been applied to the 0.27 maintenance branch, but although at least one of the CVEs said it has been fixed in 0.27.4 that has not yet been released.

Change History (4)

comment:1 by ken@…, 5 weeks ago

Owner: changed from blfs-book to ken@…
Status: newassigned

in reply to:  description comment:2 by Bruce Dubbs, 5 weeks ago

Replying to ken@…:

The patches have been applied to the 0.27 maintenance branch, but although at least one of the CVEs said it has been fixed in 0.27.4 that has not yet been released.

Yes, we wonder why a new release has not been made. The last release was 2020-06-30.

comment:3 by ken@…, 5 weeks ago

Fixed in @f7c3c7b36675e94308470bd32efcaf935504d52e

Security Advisory 10.1-046.

comment:4 by ken@…, 5 weeks ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.