{"id":"USN-8103-2","summary":"exiv2 regression","details":"USN-8103-1 fixed vulnerabilities in Exiv2. The update caused a regression\nfor Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and\nUbuntu 25.10. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that Exiv2 did not correctly handle reading certain\n buffers. An attacker could possibly use this issue to leak sensitive\n information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04\n LTS. (CVE-2020-18771)\n\n Wen Cheng discovered that Exiv2 did not correctly handle certain memory\n allocation. If a user or system were tricked into opening a specially\n crafted file, an attacker could possibly use this issue to cause a denial\n of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.\n (CVE-2020-18899)\n\n It was discovered that Exiv2 did not correctly handle writing certain\n metadata. If a user or system were tricked into opening a specially crafted\n file, an attacker could possibly use this issue to cause a denial of\n service. (CVE-2025-54080)\n\n It was discovered that Exiv2 did not correctly handle parsing certain\n metadata. If a user or system were tricked into opening a specially crafted\n file, an attacker could possibly use this issue to cause a denial of\n service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,\n Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-55304)\n\n It was discovered that Exiv2 did not correctly handle parsing certain\n images. If a user or system were tricked into opening a specially crafted\n file, an attacker could possibly use this issue to cause a denial of\n service. (CVE-2026-25884)\n\n It was discovered that Exiv2 did not correctly handle previewing certain\n images. An attacker could possibly use this issue to cause a denial of\n service. (CVE-2026-27596)\n\n It was discovered that Exiv2 did not correctly handle certain integer\n arithmetic. An attacker could possibly use this issue to cause a denial of\n service. (CVE-2026-27631)","modified":"2026-03-20T06:46:24.400617Z","published":"2026-03-19T07:08:49Z","upstream":["CVE-2025-55304","UBUNTU-CVE-2025-55304"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8103-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-55304"},{"type":"REPORT","url":"https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/2144731"}],"affected":[{"package":{"name":"exiv2","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.2-8ubuntu2.7+esm3?arch=source&distro=esm-infra/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.2-8ubuntu2.7+esm3"}]}],"versions":["0.25-4ubuntu2","0.25-4ubuntu3","0.27.2-8ubuntu2","0.27.2-8ubuntu2.2","0.27.2-8ubuntu2.4","0.27.2-8ubuntu2.5","0.27.2-8ubuntu2.6","0.27.2-8ubuntu2.7","0.27.2-8ubuntu2.7+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"exiv2","binary_version":"0.27.2-8ubuntu2.7+esm3"},{"binary_name":"libexiv2-27","binary_version":"0.27.2-8ubuntu2.7+esm3"},{"binary_name":"libexiv2-dev","binary_version":"0.27.2-8ubuntu2.7+esm3"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json","cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2025-55304"}]}}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.5-3ubuntu1.3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.5-3ubuntu1.3"}]}],"versions":["0.27.3-3ubuntu4","0.27.3-3.1ubuntu1","0.27.5-1ubuntu1","0.27.5-3ubuntu1","0.27.5-3ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"exiv2","binary_version":"0.27.5-3ubuntu1.3"},{"binary_name":"libexiv2-27","binary_version":"0.27.5-3ubuntu1.3"},{"binary_name":"libexiv2-dev","binary_version":"0.27.5-3ubuntu1.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json","cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2025-55304"}]}}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.6-1ubuntu0.3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.6-1ubuntu0.3"}]}],"versions":["0.27.6-1","0.27.6-1build1","0.27.6-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"exiv2","binary_version":"0.27.6-1ubuntu0.3"},{"binary_name":"libexiv2-27","binary_version":"0.27.6-1ubuntu0.3"},{"binary_name":"libexiv2-dev","binary_version":"0.27.6-1ubuntu0.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json","cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2025-55304"}]}}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/exiv2@0.28.5+dfsg-1ubuntu0.3?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.28.5+dfsg-1ubuntu0.3"}]}],"versions":["0.28.5+dfsg-1","0.28.5+dfsg-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"exiv2","binary_version":"0.28.5+dfsg-1ubuntu0.3"},{"binary_name":"libexiv2-28","binary_version":"0.28.5+dfsg-1ubuntu0.3"},{"binary_name":"libexiv2-data","binary_version":"0.28.5+dfsg-1ubuntu0.3"},{"binary_name":"libexiv2-dev","binary_version":"0.28.5+dfsg-1ubuntu0.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json","cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2025-55304"}]}}}],"schema_version":"1.7.5"}