Gentoo update for Exiv2
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2017-17723 CVE-2017-17724 CVE-2018-10780 CVE-2018-10958 CVE-2018-10998 CVE-2018-10999 CVE-2018-11037 CVE-2018-11531 CVE-2018-12264 CVE-2018-12265 CVE-2018-5772 CVE-2018-8976 CVE-2018-8977 CVE-2018-9144 CVE-2018-9145 CVE-2018-9303 CVE-2018-9304 CVE-2018-9305 |
| CWE-ID | CWE-119 CWE-126 CWE-264 CWE-401 CWE-122 CWE-125 CWE-190 CWE-20 CWE-617 CWE-369 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU10963
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-17723
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the Exiv2::Image::byteSwap4 function of image.cpp due to boundary error. A remote attacker can send a specially crafted TIFF image file, trick the victim into opening it and cause the service to crash.
Update the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer over-read
EUVDB-ID: #VU11070
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-17724
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows an remote unauthenticated attacker to cause DoS on the target system.
The weakness exists in the Exiv2::IptcData::printStructure function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, trigger heap-based buffer over-read and cause the service to crash.
Update the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Heap-based buffer over-read
EUVDB-ID: #VU16046
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10780
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in Exiv2::Image::byteSwap2 in image.cpp. A remote attacker can trick the victim into opening a specially crafted input and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory corruption
EUVDB-ID: #VU13574
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10958
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in types.cpp when processing a large size value. A remote attacker can perform Exiv2::Internal::PngChunk::zlibUncompress call and cause a SIGABRT during an attempt at memory allocation.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Denial of service
EUVDB-ID: #VU13575
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10998
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in readMetadata in jp2image.cpp. A remote attacker can trigger an incorrect Safe::add call and cause a denial of service (SIGABRT)
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer over-read
EUVDB-ID: #VU13573
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10999
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the Exiv2::Internal::PngChunk::parseTXTChunk function. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU16047
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-11037
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak in Exiv2::PngImage::printStructure function in pngimage.cpp. A remote attacker can trick the victim into opening a specially crafted input and gain access to arbitrary data or perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU13576
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-11531
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer overflow in getData in preview.cpp. A remote attacker can trigger memory corruption and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory corruption
EUVDB-ID: #VU13577
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12264
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflows in LoaderTiff::getData() in preview.cpp. A remote attacker can trigger out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory corruption
EUVDB-ID: #VU13578
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12265
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in the LoaderExifJpeg class in preview.cpp. A remote attacker can trigger out-of-bounds read in Exiv2::MemIo::read in basicio.cpp and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Segmentation fault
EUVDB-ID: #VU16048
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-5772
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion in the Exiv2::Image::printIFDStructure function in the image.cpp file. A remote attacker can trick the victim into opening a specially crafted tif input, trigger segmentation fault and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds read
EUVDB-ID: #VU16049
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-8976
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to out-of-bounds read in image.cpp Exiv2::Internal::stringFormat. A remote attacker can trick the victim into opening a specially crafted input, trigger an error in jpgimage.cpp and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory corruption
EUVDB-ID: #VU16050
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-8977
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Out-of-bounds read
EUVDB-ID: #VU16051
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9144
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to out-of-bounds read in Exiv2::Internal::binaryToString in image.cpp. A remote attacker can trick the victim into opening a specially crafted input and gain access to arbitrary data or perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Memory corruption
EUVDB-ID: #VU16052
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9145
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in the constructor with an initial buffer size in the DataBuf class in include/exiv2/types.hpp. A remote attacker can trick the victim into opening a specially crafted input, trigger a SIGABRT during an attempt at memory allocation and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Assertion failure
EUVDB-ID: #VU16053
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9303
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to assertion failure in BigTiffImage::readData in bigtiffimage.cpp. A remote attacker can trick the victim into opening a specially crafted input and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Divide by zero
EUVDB-ID: #VU16054
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9304
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to divide by zero in BigTiffImage::printIFD in bigtiffimage.cpp. A remote attacker can trick the victim into opening a specially crafted input and perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Out-of-bounds read
EUVDB-ID: #VU16055
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9305
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to out-of-bounds read in IptcData::printStructure in iptc.c, related to the "== 0x1c" case. A remote attacker can trick the victim into opening a specially crafted input and gain access to arbitrary data or perform a denial of service attack.
MitigationUpdate the affected packages.
media-gfx/exiv2 to version:
Gentoo Linux: All versions
CPE2.3 External linkshttps://security.gentoo.org/glsa/201811-14
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
