Vulnerabilities > CVE-2017-1000126 - Out-of-bounds Read vulnerability in Exiv2 0.26

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

exiv2

CWE-125

nessus

NVD

Published: 2017-11-17

Updated: 2020-04-09

Summary

exiv2 0.26 contains a Stack out of bounds read in webp parser

Vulnerable Configurations

Part	Description	Count
Application	Exiv2 Exiv2 Exiv2 0.26	1

Common Weakness Enumeration (CWE)

CWE-125 - Out-of-bounds Read

Common Attack Pattern Enumeration and Classification (CAPEC)

Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-0921-1.NASL
description	This update for exiv2 fixes the following issues : exiv2 was updated to latest 0.26 branch, fixing bugs and security issues : CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). CVE-2018-17229: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). CVE-2018-17230: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). CVE-2018-17282: Fixed a NULL pointer dereference in Exiv2::DataValue::copy (bsc#1109299). CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). CVE-2018-19607: Fixed a NULL pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). CVE-2019-13114: Fixed a NULL pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-04-10
modified	2020-04-06
plugin id	135228
published	2020-04-06
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135228
title	SUSE SLED15 / SLES15 Security Update : exiv2 (SUSE-SU-2020:0921-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:0921-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(135228); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/08"); script_cve_id("CVE-2017-1000126", "CVE-2017-9239", "CVE-2018-12264", "CVE-2018-12265", "CVE-2018-17229", "CVE-2018-17230", "CVE-2018-17282", "CVE-2018-19108", "CVE-2018-19607", "CVE-2018-9305", "CVE-2019-13114"); script_name(english:"SUSE SLED15 / SLES15 Security Update : exiv2 (SUSE-SU-2020:0921-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for exiv2 fixes the following issues : exiv2 was updated to latest 0.26 branch, fixing bugs and security issues : CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). CVE-2018-17229: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). CVE-2018-17230: Fixed a heap-based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). CVE-2018-17282: Fixed a NULL pointer dereference in Exiv2::DataValue::copy (bsc#1109299). CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). CVE-2018-19607: Fixed a NULL pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). CVE-2019-13114: Fixed a NULL pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1040973" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068873" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1088424" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1097599" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1097600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1109175" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1109176" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1109299" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1115364" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1117513" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1142684" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-1000126/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-9239/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-12264/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-12265/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-17229/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-17230/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-17282/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-19108/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-19607/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-9305/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-13114/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20200921-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e70efef6" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-921=1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1:zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-921=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:exiv2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:exiv2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:exiv2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2-26"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2-26-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2-26-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libexiv2-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15\|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"libexiv2-26-32bit-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"libexiv2-26-32bit-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"exiv2-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"exiv2-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"exiv2-debugsource-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"libexiv2-doc-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"exiv2-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"exiv2-debugsource-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"libexiv2-26-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"libexiv2-26-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"libexiv2-devel-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"libexiv2-26-32bit-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"libexiv2-26-32bit-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"exiv2-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"exiv2-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"exiv2-debugsource-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"libexiv2-doc-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"exiv2-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"exiv2-debugsource-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"libexiv2-26-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"libexiv2-26-debuginfo-0.26-6.8.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"libexiv2-devel-0.26-6.8.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2144.NASL
description	According to the versions of the exiv2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp.(CVE-2018-14046) - There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20096) - There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20098) - There is an infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20099) - A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.(CVE-2019-13112) - CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.(CVE-2018-17581) - In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.(CVE-2018-19535) - In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call.(CVE-2018-10958) - An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call.(CVE-2018-10998) - An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read.(CVE-2018-10999) - In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19108) - In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19107) - An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.(CVE-2018-17282) - exiv2 0.26 contains a Stack out of bounds read in webp parser(CVE-2017-1000126) - In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.(CVE-2017-17723) - Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp.(CVE-2018-11531) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-11-12
plugin id	130853
published	2019-11-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130853
title	EulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2144)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130853); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2017-1000126", "CVE-2017-17723", "CVE-2018-10958", "CVE-2018-10998", "CVE-2018-10999", "CVE-2018-11531", "CVE-2018-14046", "CVE-2018-17282", "CVE-2018-17581", "CVE-2018-19107", "CVE-2018-19108", "CVE-2018-19535", "CVE-2018-20096", "CVE-2018-20098", "CVE-2018-20099", "CVE-2019-13112" ); script_name(english:"EulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2144)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the exiv2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp.(CVE-2018-14046) - There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20096) - There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20098) - There is an infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.(CVE-2018-20099) - A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.(CVE-2019-13112) - CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service.(CVE-2018-17581) - In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.(CVE-2018-19535) - In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call.(CVE-2018-10958) - An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call.(CVE-2018-10998) - An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read.(CVE-2018-10999) - In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19108) - In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.(CVE-2018-19107) - An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.(CVE-2018-17282) - exiv2 0.26 contains a Stack out of bounds read in webp parser(CVE-2017-1000126) - In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 function in image.cpp. Remote attackers can exploit this vulnerability to disclose memory data or cause a denial of service via a crafted TIFF file.(CVE-2017-17723) - Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp.(CVE-2018-11531) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2144 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1da418ef"); script_set_attribute(attribute:"solution", value: "Update the affected exiv2 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:exiv2-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["exiv2-libs-0.26-3.h9.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2020-482.NASL
description	This update for exiv2 fixes the following issues : exiv2 was updated to latest 0.26 branch, fixing bugs and security issues : - CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). - CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). - CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). - CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). - CVE-2018-17229: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). - CVE-2018-17230: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). - CVE-2018-17282: Fixed a NULL pointer dereference in Exiv2::DataValue::copy (bsc#1109299). - CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). - CVE-2018-19607: Fixed a NULL pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). - CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). - CVE-2019-13114: Fixed a NULL pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-04-16
modified	2020-04-10
plugin id	135384
published	2020-04-10
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135384
title	openSUSE Security Update : exiv2 (openSUSE-2020-482)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-482. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(135384); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14"); script_cve_id("CVE-2017-1000126", "CVE-2017-9239", "CVE-2018-12264", "CVE-2018-12265", "CVE-2018-17229", "CVE-2018-17230", "CVE-2018-17282", "CVE-2018-19108", "CVE-2018-19607", "CVE-2018-9305", "CVE-2019-13114"); script_name(english:"openSUSE Security Update : exiv2 (openSUSE-2020-482)"); script_summary(english:"Check for the openSUSE-2020-482 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for exiv2 fixes the following issues : exiv2 was updated to latest 0.26 branch, fixing bugs and security issues : - CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). - CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). - CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). - CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). - CVE-2018-17229: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). - CVE-2018-17230: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). - CVE-2018-17282: Fixed a NULL pointer dereference in Exiv2::DataValue::copy (bsc#1109299). - CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). - CVE-2018-19607: Fixed a NULL pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). - CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). - CVE-2019-13114: Fixed a NULL pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040973" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1068873" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1088424" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1097599" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1097600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109175" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109176" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109299" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115364" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117513" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1142684" ); script_set_attribute( attribute:"solution", value:"Update the affected exiv2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exiv2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exiv2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exiv2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exiv2-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexiv2-26"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexiv2-26-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexiv2-26-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexiv2-26-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexiv2-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"exiv2-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"exiv2-debuginfo-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"exiv2-debugsource-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"exiv2-lang-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexiv2-26-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexiv2-26-debuginfo-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexiv2-devel-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libexiv2-26-32bit-0.26-lp151.7.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libexiv2-26-32bit-debuginfo-0.26-lp151.7.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2 / exiv2-debuginfo / exiv2-debugsource / exiv2-lang / etc"); }

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References