{"affected":[{"ecosystem_specific":{"binaries":[{"libexiv2-26":"0.26-6.3.1","libexiv2-devel":"0.26-6.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Desktop Applications 15","name":"exiv2","purl":"pkg:rpm/suse/exiv2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.26-6.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for exiv2 to 0.26 fixes the following security issues:\n\n- CVE-2017-14864: Prevent invalid memory address dereference in Exiv2::getULong\n  that could have caused a segmentation fault and application crash, which leads\n  to denial of service (bsc#1060995).\n- CVE-2017-14862: Prevent invalid memory address dereference in\n  Exiv2::DataValue::read that could have caused a segmentation fault and\n  application crash, which leads to denial of service (bsc#1060996).\n- CVE-2017-14859: Prevent invalid memory address dereference in\n  Exiv2::StringValueBase::read that could have caused a segmentation fault and\n  application crash, which leads to denial of service (bsc#1061000).\n- CVE-2017-14860: Prevent heap-based buffer over-read in the\n  Exiv2::Jp2Image::readMetadata function via a crafted input that could have lead\n  to a denial of service attack (bsc#1061023).\n- CVE-2017-11337: Prevent invalid free in the Action::TaskFactory::cleanup\n  function via a crafted input that could have lead to a remote denial of service\n  attack (bsc#1048883).\n- CVE-2017-11338: Prevent infinite loop in the Exiv2::Image::printIFDStructure\n  function via a crafted input that could have lead to a remote denial of service\n  attack (bsc#1048883).\n- CVE-2017-11339: Prevent heap-based buffer overflow in the\n  Image::printIFDStructure function via a crafted input that could have lead to a\n  remote denial of service attack (bsc#1048883).\n- CVE-2017-11340: Prevent Segmentation fault in the XmpParser::terminate()\n  function via a crafted input that could have lead to a remote denial of service\n  attack (bsc#1048883).\n- CVE-2017-12955: Prevent heap-based buffer overflow. The vulnerability caused\n  an out-of-bounds write in Exiv2::Image::printIFDStructure(), which may lead to\n  remote denial of service or possibly unspecified other impact (bsc#1054593).\n- CVE-2017-12956: Preventn illegal address access in\n  Exiv2::FileIo::path[abi:cxx11]() that could have lead to remote denial of\n  service (bsc#1054592).\n- CVE-2017-12957: Prevent heap-based buffer over-read that was triggered in the\n  Exiv2::Image::io function and could have lead to remote denial of service\n  (bsc#1054590).\n- CVE-2017-11683: Prevent reachable assertion in the\n  Internal::TiffReader::visitDirectory function that could have lead to a remote\n  denial of service attack via crafted input (bsc#1051188).\n- CVE-2017-11591: Prevent Floating point exception in the Exiv2::ValueType\n  function that could have lead to a remote denial of service attack via crafted\n  input (bsc#1050257).\n- CVE-2017-11553: Prevent illegal address access in the extend_alias_table\n  function via a crafted input could have lead to remote denial of service.\n- CVE-2017-11592: Prevent mismatched Memory Management Routines vulnerability\n  in the Exiv2::FileIo::seek function that could have lead to a remote denial of\n  service attack (heap memory corruption) via crafted input.\n","id":"SUSE-SU-2018:1882-1","modified":"2018-07-05T06:43:05Z","published":"2018-07-05T06:43:05Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20181882-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1048883"},{"type":"REPORT","url":"https://bugzilla.suse.com/1050257"},{"type":"REPORT","url":"https://bugzilla.suse.com/1051188"},{"type":"REPORT","url":"https://bugzilla.suse.com/1054590"},{"type":"REPORT","url":"https://bugzilla.suse.com/1054592"},{"type":"REPORT","url":"https://bugzilla.suse.com/1054593"},{"type":"REPORT","url":"https://bugzilla.suse.com/1060995"},{"type":"REPORT","url":"https://bugzilla.suse.com/1060996"},{"type":"REPORT","url":"https://bugzilla.suse.com/1061000"},{"type":"REPORT","url":"https://bugzilla.suse.com/1061023"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11337"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11338"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11339"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11340"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11553"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11591"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11592"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-11683"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-12955"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-12956"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-12957"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-14859"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-14860"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-14862"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-14864"}],"related":["CVE-2017-11337","CVE-2017-11338","CVE-2017-11339","CVE-2017-11340","CVE-2017-11553","CVE-2017-11591","CVE-2017-11592","CVE-2017-11683","CVE-2017-12955","CVE-2017-12956","CVE-2017-12957","CVE-2017-14859","CVE-2017-14860","CVE-2017-14862","CVE-2017-14864"],"summary":"Security update for exiv2","upstream":["CVE-2017-11337","CVE-2017-11338","CVE-2017-11339","CVE-2017-11340","CVE-2017-11553","CVE-2017-11591","CVE-2017-11592","CVE-2017-11683","CVE-2017-12955","CVE-2017-12956","CVE-2017-12957","CVE-2017-14859","CVE-2017-14860","CVE-2017-14862","CVE-2017-14864"]}