Opened 3 months ago

Closed 3 months ago

Last modified 6 weeks ago

#15199 closed enhancement (fixed)

exiv2-0.27.4

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version

Didn't show up on the currency script, just noticed it over on Arch

Change History (6)

comment:1 by Bruce Dubbs, 3 months ago

I fixed the currency script for exiv2.

comment:2 by Douglas R. Reno, 3 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Alright cool, I'll go get this in

comment:3 by Douglas R. Reno, 3 months ago

Priority: normalelevated
Exiv2 v0.27.4 Features

    bmff support (.CR3, .AVIF, .HEIC, .HIF, .JXL/bmff) files.
    Rewrite 0.27 bash test scripts in python.
    Support for Exif 2.32 and DNG 1.6.
    Crowdin Localisation Support
    Completion of Image Metadata and Exiv2 Architecture https://clanmills.com/exiv2/book/
    Improved documentation.
    Various minor bugs and fixes.
    RC3 issued to deal with 12 security issues. After 18 months without a CVE, we were attacked between RC2 and GM.
    Security policy defined and published on GitHub.

Marking elevated due to security fixes

comment:4 by Douglas R. Reno, 3 months ago

Borrowed from Arch (https://security.archlinux.org/package/exiv2):

CVE-2021-32617 	AVG-1772 	Low 	Yes 	Denial of service 	

An inefficient algorithm (quadratic complexity) was found in Exiv2 before version 0.27.4. The inefficient algorithm is triggered when Exiv2 is used to write...

CVE-2021-29623 	AVG-1772 	Low 	Yes 	Information disclosure 	

A read of uninitialized memory was found in Exiv2 before version 0.27.4. The read of uninitialized memory is triggered when Exiv2 is used to read the...

CVE-2021-29473 	AVG-1772 	Low 	Yes 	Denial of service 	

An out-of-bounds read was found in Exiv2 before version 0.27.4. An attacker could potentially exploit the vulnerability to cause a denial of service by...

CVE-2021-29470 	AVG-1772 	Low 	Yes 	Denial of service 	

An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted...

CVE-2021-29464 	AVG-1772 	Low 	Yes 	Arbitrary code execution 	

A heap buffer overflow was found in Exiv2 before version 0.27.4. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image...

CVE-2021-29463 	AVG-1772 	Low 	Yes 	Denial of service 	

An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted...

CVE-2021-29458 	AVG-1772 	Low 	Yes 	Denial of service 	

An out-of-bounds read was found in Exiv2 before version 0.27.4. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted...

CVE-2021-29457 	AVG-1772 	Low 	Yes 	Arbitrary code execution 	

A heap buffer overflow was found in Exiv2 before version 0.27.4. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image...

CVE-2021-3482 	AVG-1772 	Low 	Yes 	Arbitrary code execution 	

A security issue was found in Exiv2 in versions before version 0.27.4. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in...

I'll file an SA after I'm done with submitting this update

comment:5 by Douglas R. Reno, 3 months ago

Resolution: fixed
Status: assignedclosed

comment:6 by Bruce Dubbs, 6 weeks ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.