UbuntuUpdates.org

Package "exiv2"

Name: exiv2

Description:

EXIF/IPTC/XMP metadata manipulation tool
Latest version: 0.27.2-8ubuntu2.7
Release: focal (20.04)
Level: security
Repository: universe
Homepage: https://www.exiv2.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "exiv2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "exiv2" in Focal

Repository Area Version
base main 0.27.2-8ubuntu2
base universe 0.27.2-8ubuntu2
security main 0.27.2-8ubuntu2.7
updates main 0.27.2-8ubuntu2.7
updates universe 0.27.2-8ubuntu2.7

Changelog

Version: 0.27.2-8ubuntu2.7 2022-01-11 14:07:13 UTC

  exiv2 (0.27.2-8ubuntu2.7) focal-security; urgency=medium

  * SECURITY REGRESSION: fix out of range access
  * Bugfix: Fix regression introduced when fixing CVE-2021-37620 (LP:
    #1941752)
    - debian/patches/CVE-2021-37620-4.patch: fix out of range access
    - debian/patches/CVE-2021-37620-5.patch: backport to C++98

 -- Simon Schmeißer <email address hidden> Thu, 30 Dec 2021 21:40:13 +0100
Source diff to previous version
CVE-2021-37620 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was

Version: 0.27.2-8ubuntu2.6 2021-08-17 19:06:24 UTC

  exiv2 (0.27.2-8ubuntu2.6) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-32815-*.patch: adds a check of sizes, adds
      regression test, adds msgs prints for DEBUG flags in
      src/crwimage_int.cpp.
    - CVE-2021-32815
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-34334-*.patch: adds regression test, adds
      an extra checking to prevent the loop counter from wrapping around in
      crwimage_int.cpp; adds defensive code to avoid integer overflow in loop
      conditions in src/actions.cpp, src/basicio.cpp, src/convert.cpp,
      src/exif.cpp, src/exvi2.cpp, src/iptc.cpp, src/preview.cpp,
      src/tags_int.cpp, src/tiffcomposite_int.cpp, src/types.cpp,
      src/xmp.cpp, src/xmpsidecar.cpp; adds a better fix for a potential
      integer overflow in bytes.size() in src/iptc.cpp; changes type of
      escapeStart to size_t in src/exiv2.cpp; fix warning comparison of
      integer expressions of different signedness in src/iptc.cpp,
      src/tags_int.cpp.
    - CVE-2021-34334
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-34335-*.patch: adds regression test;
      prevent divide-by-zero crash in src/minoltamn_int.cpp; adds defensive
      code in include/exiv2/value.hpp, src/tags_int.cpp.
    - CVE-2021-34335
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-37615-37616-*.patch: adds regression test;
      throw exception if lens info wasn't found in src/pentaxmn_int.cpp;
      adds a check to findKey din't return end() in src/convert.cpp,
      src/crwimage_int.cpp, src/exif.cpp, src/iptc.cpp, src/xmp.cpp.
    - CVE-2021-37615
    - CVE-2021-37616
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2021-37618-*.patch: adds regression test; adds
      a better bounds checking for Jp2Image::printStructure in
      src/jp2image.cpp.
    - CVE-2021-37618
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2021-37619-*.patch: adds regression test;
      fix incorrect loop condition in src/jp2image.cpp.
    - CVE-2021-37619
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2021-37620-*.patch: adds regression test;
      check that type isn't an empty string in src/values.cpp and
      adds safer vector indexing in multiples files in src/*.
    - CVE-2021-37620
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2021-37621-*.patch: adds regression test;
      checks dirlength to avoid infinite loop and adds some defensive code in
      src/image.cpp.
    - CVE-2021-37621
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2021-37622-*.patch: adds regression test; makes sure
      that read is complete to prevent infinite loop and remove dedundant
      check in src/jpgimage.cpp.
    - CVE-2021-37622
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-37623-1.patch: adds regression test.
    - debian/patches/CVE-2021-37623-2.patch: adjusts bufRead after seek() to
      avoid a infinite loop in src/jpgimage.cpp.
    - CVE-2021-37623
  * debian/patches/fix_enforce_include.patch: includes enforce in
    crwimage_int.cpp.

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 12 Aug 2021 13:18:13 -0300
Source diff to previous version
CVE-2021-32815 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The assertion failure is t
CVE-2021-34334 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is trigge
CVE-2021-34335 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A floating point exception
CVE-2021-37615 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference
CVE-2021-37616 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference
CVE-2021-37618 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was
CVE-2021-37619 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was
CVE-2021-37620 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was
CVE-2021-37621 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found
CVE-2021-37622 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found
CVE-2021-37623 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found

Version: 0.27.2-8ubuntu2.5 2021-08-02 19:06:29 UTC

  exiv2 (0.27.2-8ubuntu2.5) focal-security; urgency=medium

  * SECURITY UPDATE: Buffer Overflow
    - debian/patches/CVE-2021-31291.patch: fix out of buffer checking limit
      and throw exception in case box is broken in src/jp2image.cpp.
    - CVE-2021-31291

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 28 Jul 2021 12:23:12 -0300
Source diff to previous version
CVE-2021-31291 A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata.

Version: 0.27.2-8ubuntu2.4 2021-05-25 16:06:29 UTC

  exiv2 (0.27.2-8ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-29463.patch: Improve bound checking in
      WebPImage::doWriteMetadata() in src/webpimage.cpp.
    - CVE-2021-29463
  * SECURITY UPDATE: Heap buffer overflow
    - debian/patches/CVE-2021-29464.patch: better bounds checking in
      Jp2Image::encodeJp2Header() in src/jp2image.cpp.
    - CVE-2021-29464
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-29473.patch: Add bounds check in
      Jp2Image::doWriteMetadata() in src/jp2image.cpp.
    - CVE-2021-29473
  * SECURITY UPDATE: Leak bytes of stack memory
    - debian/patches/CVE-2021-29623.patch: Use readOrThrow to check error
      conditions of iIo.read() src/webpimage.cpp.
    - CVE-2021-29623
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-32617.patch: Fix quadratic complexity performance bug
      in xmpsdk/src/XMPMeta-Parse.cpp.
    - CVE-2021-32617

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 24 May 2021 10:52:19 -0300
Source diff to previous version
CVE-2021-29463 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was
CVE-2021-29464 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was
CVE-2021-29473 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was
CVE-2021-29623 Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized m
CVE-2021-32617 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (

Version: 0.27.2-8ubuntu2.2 2021-05-10 20:07:32 UTC

  exiv2 (0.27.2-8ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow
    - debian/patches/CVE-2021-3482-*.patch: fix buffer overflow
      in src/jp2image.cpp and adds tests test/data/poc_1522.jp2,
      tests/bugfixes/github/test_issue_1522.py.
    - debian/source/include-binaries: add poc_1522.jp2 entry.
    - CVE-2021-3482
  * SECURITY UPDATE: An out of buffer access
    - debian/patches/CVE-2021-29457.patch: fix in src/jp2image.cpp
      (LP: #1923479)
    - CVE-2021-29457
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2021-29458.patch: fix in src/crwimage_int.cpp
      (LP: #1923479)
    - CVE-2021-29458
  * SECURITY UPDATE: Out-of-bounds
    - debian/patches/CVE-2021-29470-*.patch: Add more bound checks in
      Jp2Image::encodeJp2Header and add some tests from/for github.
    - CVE-2021-29470

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 13 Apr 2021 09:49:39 -0300
1923479 out of buffer access and Integer overflow in Exiv2
CVE-2021-3482 A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetada
CVE-2021-29457 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was
CVE-2021-29458 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was
CVE-2021-29470 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was


About   -   Send Feedback to @ubuntu_updates