SB2019120533 - Buffer overflow in exiv2 (Alpine package)
Published: December 5, 2019
Security Bulletin ID
SB2019120533
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2019-17402)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary in Exiv2::getULong() function in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp. A remote attacker can pass specially crafted data to the application, trigger memory corruption and crash the service.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4b80232f5a78abca62be25e8a44812437d3f11ef
- https://git.alpinelinux.org/aports/commit/?id=5f508d129e5e87f82b2c8e85793d0c5302c5ef23
- https://git.alpinelinux.org/aports/commit/?id=3e8ab963c14f906a03b0638a994acc710657355b
- https://git.alpinelinux.org/aports/commit/?id=f7de796e6aaa9b44eed3b77e1c0e66fff453d454
- https://git.alpinelinux.org/aports/commit/?id=243172b8ed91455899894296f46693ffa3d4f695
- https://git.alpinelinux.org/aports/commit/?id=3c5375cf80f0d9cec96b892955916e5f6f62d8b0
- https://git.alpinelinux.org/aports/commit/?id=bab0ca7478ac3b2bb801ceadbd71523d043174b5
- https://git.alpinelinux.org/aports/commit/?id=a1cb55c75af83953d7cb42730649b063fb88bb45