Source: exiv2 Version: 0.27.3-3 Severity: important Tags: security upstream Forwarded: https://github.com/Exiv2/exiv2/pull/1627 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for exiv2. CVE-2021-29623[0]: | Exiv2 is a C++ library and a command-line utility to read, write, | delete and modify Exif, IPTC, XMP and ICC image metadata. A read of | uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. | Exiv2 is a command-line utility and C++ library for reading, writing, | deleting, and modifying the metadata of image files. The read of | uninitialized memory is triggered when Exiv2 is used to read the | metadata of a crafted image file. An attacker could potentially | exploit the vulnerability to leak a few bytes of stack memory, if they | can trick the victim into running Exiv2 on a crafted image file. The | bug is fixed in version v0.27.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623 [1] https://github.com/Exiv2/exiv2/pull/1627 [2] https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v Please adjust the affected versions in the BTS as needed. Regards, Salvatore
