Vulnerabilities > CVE-2018-11531 - Out-of-bounds Write vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(130853);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");

  script_cve_id(
    "CVE-2017-1000126",
    "CVE-2017-17723",
    "CVE-2018-10958",
    "CVE-2018-10998",
    "CVE-2018-10999",
    "CVE-2018-11531",
    "CVE-2018-14046",
    "CVE-2018-17282",
    "CVE-2018-17581",
    "CVE-2018-19107",
    "CVE-2018-19108",
    "CVE-2018-19535",
    "CVE-2018-20096",
    "CVE-2018-20098",
    "CVE-2018-20099",
    "CVE-2019-13112"
  );

  script_name(english:"EulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2144)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the exiv2 package installed, the EulerOS
installation on the remote host is affected by the following
vulnerabilities :

  - Exiv2 0.26 has a heap-based buffer over-read in
    WebPImage::decodeChunks in
    webpimage.cpp.(CVE-2018-14046)

  - There is a heap-based buffer over-read in the
    Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2
    0.27-RC3. A crafted input will lead to a remote denial
    of service attack.(CVE-2018-20096)

  - There is a heap-based buffer over-read in
    Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in
    Exiv2 0.27-RC3. A crafted input will lead to a remote
    denial of service attack.(CVE-2018-20098)

  - There is an infinite loop in
    Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in
    Exiv2 0.27-RC3. A crafted input will lead to a remote
    denial of service attack.(CVE-2018-20099)

  - A PngChunk::parseChunkContent uncontrolled memory
    allocation in Exiv2 through 0.27.1 allows an attacker
    to cause a denial of service (crash due to an
    std::bad_alloc exception) via a crafted PNG image
    file.(CVE-2019-13112)

  - CiffDirectory::readDirectory() at crwimage_int.cpp in
    Exiv2 0.26 has excessive stack consumption due to a
    recursive function, leading to Denial of
    service.(CVE-2018-17581)

  - In Exiv2 0.26 and previous versions,
    PngChunk::readRawProfile in pngchunk_int.cpp may cause
    a denial of service (application crash due to a
    heap-based buffer over-read) via a crafted PNG
    file.(CVE-2018-19535)

  - In types.cpp in Exiv2 0.26, a large size value may lead
    to a SIGABRT during an attempt at memory allocation for
    an Exiv2::Internal::PngChunk::zlibUncompress
    call.(CVE-2018-10958)

  - An issue was discovered in Exiv2 0.26. readMetadata in
    jp2image.cpp allows remote attackers to cause a denial
    of service (SIGABRT) by triggering an incorrect
    Safe::add call.(CVE-2018-10998)

  - An issue was discovered in Exiv2 0.26. The
    Exiv2::Internal::PngChunk::parseTXTChunk function has a
    heap-based buffer over-read.(CVE-2018-10999)

  - In Exiv2 0.26, Exiv2::PsdImage::readMetadata in
    psdimage.cpp in the PSD image reader may suffer from a
    denial of service (infinite loop) caused by an integer
    overflow via a crafted PSD image file.(CVE-2018-19108)

  - In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp
    (called from psdimage.cpp in the PSD image reader) may
    suffer from a denial of service (heap-based buffer
    over-read) caused by an integer overflow via a crafted
    PSD image file.(CVE-2018-19107)

  - An issue was discovered in Exiv2 v0.26. The function
    Exiv2::DataValue::copy in value.cpp has a NULL pointer
    dereference.(CVE-2018-17282)

  - exiv2 0.26 contains a Stack out of bounds read in webp
    parser(CVE-2017-1000126)

  - In Exiv2 0.26, there is a heap-based buffer over-read
    in the Exiv2::Image::byteSwap4 function in image.cpp.
    Remote attackers can exploit this vulnerability to
    disclose memory data or cause a denial of service via a
    crafted TIFF file.(CVE-2017-17723)

  - Exiv2 0.26 has a heap-based buffer overflow in getData
    in preview.cpp.(CVE-2018-11531)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2144
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1da418ef");
  script_set_attribute(attribute:"solution", value:
"Update the affected exiv2 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:exiv2-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["exiv2-libs-0.26-3.h9.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1402-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110728);
  script_version("1.2");
  script_cvs_date("Date: 2018/08/31 12:25:01");

  script_cve_id("CVE-2018-10958", "CVE-2018-10998", "CVE-2018-10999", "CVE-2018-11531", "CVE-2018-12264", "CVE-2018-12265");

  script_name(english:"Debian DLA-1402-1 : exiv2 security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in exiv2, a C++ library
and a command line utility to manage image metadata, resulting in
denial of service, heap-based buffer over-read/overflow, memory
exhaustion, and application crash.

For Debian 8 'Jessie', these problems have been fixed in version
0.24-4.1+deb8u1.

We recommend that you upgrade your exiv2 packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2018/06/msg00010.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/exiv2"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exiv2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-13");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-doc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/06/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/28");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"exiv2", reference:"0.24-4.1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libexiv2-13", reference:"0.24-4.1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libexiv2-dbg", reference:"0.24-4.1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libexiv2-dev", reference:"0.24-4.1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libexiv2-doc", reference:"0.24-4.1+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3700-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110922);
  script_version("1.4");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2018-10958", "CVE-2018-10998", "CVE-2018-10999", "CVE-2018-11531", "CVE-2018-12264", "CVE-2018-12265");
  script_xref(name:"USN", value:"3700-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : exiv2 vulnerabilities (USN-3700-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that Exiv2 incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2018-10958, CVE-2018-10998)

It was discovered that Exiv2 incorrectly handled certain PNG files. An
attacker could possibly use this to access sensitive information.
(CVE-2018-10999)

It was discovered that Exiv2 incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-11531)

It was discovered that Exiv2 incorrectly handled certain files. An
attacker could possibly use this to access sensitive information.
(CVE-2018-12264, CVE-2018-12265).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3700-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected exiv2, libexiv2-12 and / or libexiv2-14 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exiv2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libexiv2-12");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libexiv2-14");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|17\.10|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10 / 18.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"exiv2", pkgver:"0.23-1ubuntu2.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"libexiv2-12", pkgver:"0.23-1ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"exiv2", pkgver:"0.25-2.1ubuntu16.04.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libexiv2-14", pkgver:"0.25-2.1ubuntu16.04.2")) flag++;
if (ubuntu_check(osver:"17.10", pkgname:"exiv2", pkgver:"0.25-3.1ubuntu0.17.10.1")) flag++;
if (ubuntu_check(osver:"17.10", pkgname:"libexiv2-14", pkgver:"0.25-3.1ubuntu0.17.10.1")) flag++;
if (ubuntu_check(osver:"18.04", pkgname:"exiv2", pkgver:"0.25-3.1ubuntu0.18.04.1")) flag++;
if (ubuntu_check(osver:"18.04", pkgname:"libexiv2-14", pkgver:"0.25-3.1ubuntu0.18.04.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2 / libexiv2-12 / libexiv2-14");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201811-14.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(119134);
  script_version("1.1");
  script_cvs_date("Date: 2018/11/26 11:02:12");

  script_cve_id("CVE-2017-17723", "CVE-2017-17724", "CVE-2018-10780", "CVE-2018-10958", "CVE-2018-10998", "CVE-2018-10999", "CVE-2018-11037", "CVE-2018-11531", "CVE-2018-12264", "CVE-2018-12265", "CVE-2018-5772", "CVE-2018-8976", "CVE-2018-8977", "CVE-2018-9144", "CVE-2018-9145", "CVE-2018-9146", "CVE-2018-9303", "CVE-2018-9304", "CVE-2018-9305", "CVE-2018-9306");
  script_xref(name:"GLSA", value:"201811-14");

  script_name(english:"GLSA-201811-14 : Exiv2: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201811-14
(Exiv2: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Exiv2. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker could cause a Denial of Service condition or obtain
      sensitive information via a specially crafted file.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201811-14"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Exiv2 users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose
      '>=media-gfx/exiv2-0.26_p20180811-r3'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:exiv2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/11/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"media-gfx/exiv2", unaffected:make_list("ge 0.26_p20180811-r3"), vulnerable:make_list("lt 0.26_p20180811-r3"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Exiv2");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4238. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110910);
  script_version("1.4");
  script_cvs_date("Date: 2018/11/13 12:30:47");

  script_cve_id("CVE-2018-10958", "CVE-2018-10998", "CVE-2018-10999", "CVE-2018-11531", "CVE-2018-12264", "CVE-2018-12265");
  script_xref(name:"DSA", value:"4238");

  script_name(english:"Debian DSA-4238-1 : exiv2 - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in Exiv2, a C++ library
and a command line utility to manage image metadata which could result
in denial of service or the execution of arbitrary code if a malformed
file is parsed."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/exiv2"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/exiv2"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2018/dsa-4238"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the exiv2 packages.

For the stable distribution (stretch), these problems have been fixed
in version 0.25-3.1+deb9u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exiv2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"exiv2", reference:"0.25-3.1+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libexiv2-14", reference:"0.25-3.1+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libexiv2-dbg", reference:"0.25-3.1+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libexiv2-dev", reference:"0.25-3.1+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libexiv2-doc", reference:"0.25-3.1+deb9u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");