FEDORA-2018-8b67a5c7e2 created by jgrulich 2 years ago for Fedora 28
stable

Exiv2 update with security fixes.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-8b67a5c7e2

This update has been submitted for testing by jgrulich.

2 years ago

jgrulich edited this update.

2 years ago

jgrulich edited this update.

2 years ago

jgrulich edited this update.

2 years ago

hello jgrulich, thank you for your effort!

tldr: Which CPEs have been fixed with this release?

I am confused regarding which CVEs have been fixed in this release. The related Bugs reference 14 CVEs: CVE-2017-17669, CVE-2017-17724, CVE-2017-9953, CVE-2018-10958, CVE-2018-10998, CVE-2018-10999, CVE-2018-11037, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046, CVE-2018-9144, CVE-2018-9145, CVE-2018-9146, CVE-2018-9305

However, the Chanelog (https://koji.fedoraproject.org/koji/search?terms=exiv2-0.26-12.fc28&type=build&match=glob) suggests that these CVEs have been fixed: CVE-2017-17723, CVE-2017-17725, CVE-2018-10958, CVE-2018-10998, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046, CVE-2018-5772, CVE-2018-8976, CVE-2018-8977, CVE-2018-9144.

The 5 CVEs CVE-2018-10958, CVE-2018-10998, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046 are referenced in the reladet bugs and the changelog.

The 3 CVEs CVE-2017-17723, CVE-2017-17725, CVE-2018-5772 referenced in the changelog have already been addressed in a previous exiv release (see FEDORA-2018-fc9c5969b4).

I backported those changes from RHEL, where I adressed CVEs mentioned in changelog and I was a bit lazy to check what CVEs has been already adressed in Fedora (my fault). I first added all CVEs mentioned in the changelog and then I went through some CVEs in bugzilla and added related ones (e.g. those in PrintStructures() which are under multiple CVEs from what I remember.

This update has been pushed to testing.

2 years ago
User Icon cserpentis commented & provided feedback 2 years ago
karma

works for me

User Icon pwalter commented & provided feedback 2 years ago
karma

Works

User Icon hreindl commented & provided feedback 2 years ago
karma

works for me

This update has been submitted for batched by bodhi.

2 years ago

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#561214 Ch 4. Redundant Array of Independent Disks (RAID) - Anaconda screenshots / references needs updating
0
0
BZ#584862 SELinux is preventing /usr/libexec/gdm-session-worker "add_name" access on .dmrc.MTJ1BV.
0
0
BZ#1469771 CVE-2017-9953 exiv2: Segmentation fault in Image::printIFDStructure [fedora-all]
0
0
BZ#1526053 CVE-2017-17669 exiv2: Heap-based buffer over-read in PngChunk::keyTXTChunk function of pngchunk_int.cpp [fedora-all]
0
0
BZ#1545238 CVE-2017-17724 exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp [fedora-all]
0
0
BZ#1564279 CVE-2018-9144 CVE-2018-9145 CVE-2018-9146 exiv2: various flaws [fedora-all]
0
0
BZ#1566735 CVE-2018-9305 exiv2: out of bounds read in IptcData::printStructure in iptc.c
0
0
BZ#1578661 CVE-2018-10958 exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() [fedora-all]
0
0
BZ#1579486 CVE-2018-10998 CVE-2018-10999 CVE-2018-11037 exiv2: various flaws [fedora-all]
0
0
BZ#1590995 CVE-2018-12264 exiv2: integer overflow in getData function in preview.cpp [fedora-all]
0
0
BZ#1590998 CVE-2018-12265 exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp [fedora-all]
0
0
BZ#1601629 CVE-2018-14046 exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp [fedora-all]
0
0

Automated Test Results