Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1147-1 exiv2

Debian Security Advisory

DLA-1147-1 exiv2 -- LTS security update

Date Reported:

26 Oct 2017

Affected Packages:

exiv2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 876893.
In Mitre's CVE dictionary: CVE-2017-11591, CVE-2017-11683, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864.

More information:

The exiv2 library is vulnerable to multiple issues that can all lead to denial of service of the applications relying on the library to parse images' metadata.

• CVE-2017-11591

  Denial of service via floating point exception in the Exiv2::ValueType function.

• CVE-2017-11683

  Denial of service through failing assertion triggered by crafted image.

• CVE-2017-14859 / CVE-2017-14862 / CVE-2017-14864

  Denial of service through invalid memory access triggered by a crafted image.

For Debian 7 Wheezy, these problems have been fixed in version 0.23-1+deb7u2.

We recommend that you upgrade your exiv2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS