[USN-4964-1] Exiv2 vulnerabilities

Leonidas S. Barbosa leo.barbosa at canonical.com
Tue May 25 15:23:11 UTC 2021


==========================================================================
Ubuntu Security Notice USN-4964-1
May 25, 2021

exiv2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Exiv2.

Software Description:
- exiv2: EXIF/IPTC/XMP metadata manipulation tool

Details:

It was discovered that Exiv2 incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10 and Ubuntu 21.04.
(CVE-2021-29463)

It was discovered that Exiv2 incorrectly handled certain files.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10 and Ubuntu 21.04.
(CVE-2021-29464)

It was discovered that Exiv2 incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2021-29473, CVE-2021-32617)

It was discovered that Exiv2 incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10 and Ubuntu 21.04.
(CVE-2021-29623)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
  exiv2                           0.27.3-3ubuntu1.3
  libexiv2-27                     0.27.3-3ubuntu1.3

Ubuntu 20.10:
  exiv2                           0.27.3-3ubuntu0.4
  libexiv2-27                     0.27.3-3ubuntu0.4

Ubuntu 20.04 LTS:
  exiv2                           0.27.2-8ubuntu2.4
  libexiv2-27                     0.27.2-8ubuntu2.4

Ubuntu 18.04 LTS:
  exiv2                           0.25-3.1ubuntu0.18.04.9
  libexiv2-14                     0.25-3.1ubuntu0.18.04.9

Ubuntu 16.04 ESM:
  exiv2                           0.25-2.1ubuntu16.04.7+esm2
  libexiv2-14                     0.25-2.1ubuntu16.04.7+esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-4964-1
  CVE-2021-29463, CVE-2021-29464, CVE-2021-29473, CVE-2021-29623,
  CVE-2021-32617

Package Information:
  https://launchpad.net/ubuntu/+source/exiv2/0.27.3-3ubuntu1.3
  https://launchpad.net/ubuntu/+source/exiv2/0.27.3-3ubuntu0.4
  https://launchpad.net/ubuntu/+source/exiv2/0.27.2-8ubuntu2.4
  https://launchpad.net/ubuntu/+source/exiv2/0.25-3.1ubuntu0.18.04.9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20210525/20c25598/attachment.sig>


More information about the ubuntu-security-announce mailing list