DLA-3186-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3186-1.json
Aliases
Published
2022-11-10T00:00:00Z
Modified
2022-11-22T01:04:17.893751Z
Details

Three vulnerabilities have been fixed that could, under rare circumstances, lead to remotely exploitable DoS vulnerabilities in software using exiv2 for meta-data extraction.

  • CVE-2017-11683 Crash due to a reachable assertion on crafted input
  • CVE-2020-19716 Buffer overflow when handling crafted meta-data of CRW images

For Debian 10 buster, these problems have been fixed in version 0.25-4+deb10u3.

We recommend that you upgrade your exiv2 packages.

For the detailed security status of exiv2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exiv2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / exiv2

exiv2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
0.25-4+deb10u3

Affected versions

0.*

0.25-4
0.25-4+deb10u1
0.25-4+deb10u2