SB2019073120 - Fedora 30 update for exiv2

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019073120

SB2019073120 - Fedora 30 update for exiv2

Published: July 31, 2019 Updated: April 25, 2025

Security Bulletin ID SB2019073120
Severity
Low
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Integer overflow (CVE-ID: CVE-2019-13108)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in Exiv2 through 0.27.1 due to PngImage::readMetadata mishandles a zero value for iccOffset. A remote attacker can create a crafted PNG image file, trigger integer overflow and perform denial of service (DoS) attack.


2) Integer overflow (CVE-ID: CVE-2019-13109)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in Exiv2 through 0.27.1 due to PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction. A remote attacker can create a crafted PNG image file, trigger integer overflow and perform denial of service (DoS) attack.


3) Integer overflow (CVE-ID: CVE-2019-13110)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer overflow in CiffDirectory::readDirectory() function. A remote attacker can create a specially crafted CRW image, pass it to the application, trigger integer overflow and crash the affected application.


4) Integer overflow (CVE-ID: CVE-2019-13111)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer overflow in WebPImage::decodeChunks() function. A remote attacker can create a specially crafted WEBP image, pass it to the application, trigger integer overflow and crash the affected application.


5) Resource management error (CVE-ID: CVE-2019-13112)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to memory allocation error in PngChunk::parseChunkContent() function. A remote attacker can create a specially crafted PNG image, pass it to the application and perform a denial of service attack.


6) Reachable Assertion (CVE-ID: CVE-2019-13113)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion due to assertion failure) via an invalid data location in a CRW image file. A remote attacker can cause a denial of service (crash.


7) NULL pointer dereference (CVE-ID: CVE-2019-13114)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dreference error when parsing HTTP responses without a space character. A remote attacker can perform a denial of service (DoS) attack.


8) Out-of-bounds read (CVE-ID: CVE-2019-13504)

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists due to an out-of-bounds read error in the "Exiv2::MrwImage::readMetadata" function in the "mrwimage.cpp" file. A remote attacker can create a specially crafted media file, trick the victim into opening it and cause the affected application to crash.


Remediation

Install update from vendor's website.

References