{"id":"MGASA-2021-0415","summary":"Updated exiv2 packages fix security vulnerabilities","details":"The updated exiv2 packages fix security vulnerabilities:\n\nAn assertion failure is triggered when Exiv2 is used to modify the metadata\nof a crafted image file. An attacker could potentially exploit the\nvulnerability to cause a denial of service, if they can trick the victim\ninto running Exiv2 on a crafted image file (CVE-2021-32815).\n\nAn infinite loop is triggered when Exiv2 is used to read the metadata of a\ncrafted image file. An attacker could potentially exploit the vulnerability\nto cause a denial of service, if they can trick the victim into running\nExiv2 on a crafted image file (CVE-2021-34334).\n\nA floating point exception (FPE) due to an integer divide by zero was found\nin Exiv2 versions v0.27.4 and earlier. The FPE is triggered when Exiv2 is\nused to print the metadata of a crafted image file. An attacker could\npotentially exploit the vulnerability to cause a denial of service, if they\ncan trick the victim into running Exiv2 on a crafted image file\n(CVE-2021-34335).\n\nA null pointer dereference was found in Exiv2 versions v0.27.4 and earlier.\nThe null pointer dereference is triggered when Exiv2 is used to print the\nmetadata of a crafted image file. An attacker could potentially exploit the\nvulnerability to cause a denial of service, if they can trick the victim\ninto running Exiv2 on a crafted image file (CVE-2021-37615, CVE-2021-37616).\n\nAn out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The\nout-of-bounds read is triggered when Exiv2 is used to print the metadata\nof a crafted image file. An attacker could potentially exploit\nthevulnerability to cause a denial of service, if they can trick the victim\ninto running Exiv2 on a crafted image file (CVE-2021-37618, CVE-2021-37619,\nCVE-2021-37620).\n\nAn infinite loop was found in Exiv2 versions v0.27.4 and earlier. The\ninfinite loop is triggered when Exiv2 is used to print the metadata of a\ncrafted image file. An attacker could potentially exploit the vulnerability\nto cause a denial of service, if they can trick the victim into running Exiv2\non a crafted image file (CVE-2021-37621, CVE-2021-37622, CVE-2021-37623).\n","modified":"2026-01-31T05:27:18.230794Z","published":"2021-09-04T17:01:38Z","related":["CVE-2021-32815","CVE-2021-34334","CVE-2021-34335","CVE-2021-37615","CVE-2021-37616","CVE-2021-37618","CVE-2021-37619","CVE-2021-37620","CVE-2021-37621","CVE-2021-37622","CVE-2021-37623"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0415.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29371"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-5043-1"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/"}],"affected":[{"package":{"name":"exiv2","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/exiv2?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.3-1.3.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0415.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}