security update in Fedora 28 for exiv2

Status: stable a year ago

Exiv2 update with security fixes.

Comments 13

This update has been submitted for testing by jgrulich.

jgrulich edited this update.

jgrulich edited this update.

jgrulich edited this update.

hello jgrulich, thank you for your effort!

tldr: Which CPEs have been fixed with this release?

I am confused regarding which CVEs have been fixed in this release. The related Bugs reference 14 CVEs: CVE-2017-17669, CVE-2017-17724, CVE-2017-9953, CVE-2018-10958, CVE-2018-10998, CVE-2018-10999, CVE-2018-11037, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046, CVE-2018-9144, CVE-2018-9145, CVE-2018-9146, CVE-2018-9305

However, the Chanelog (https://koji.fedoraproject.org/koji/search?terms=exiv2-0.26-12.fc28&type=build&match=glob) suggests that these CVEs have been fixed: CVE-2017-17723, CVE-2017-17725, CVE-2018-10958, CVE-2018-10998, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046, CVE-2018-5772, CVE-2018-8976, CVE-2018-8977, CVE-2018-9144.

The 5 CVEs CVE-2018-10958, CVE-2018-10998, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046 are referenced in the reladet bugs and the changelog.

The 3 CVEs CVE-2017-17723, CVE-2017-17725, CVE-2018-5772 referenced in the changelog have already been addressed in a previous exiv release (see FEDORA-2018-fc9c5969b4).

I backported those changes from RHEL, where I adressed CVEs mentioned in changelog and I was a bit lazy to check what CVEs has been already adressed in Fedora (my fault). I first added all CVEs mentioned in the changelog and then I went through some CVEs in bugzilla and added related ones (e.g. those in PrintStructures() which are under multiple CVEs from what I remember.

This update has been pushed to testing.

works for me

karma: +1


karma: +1

works for me

karma: +1

This update has been submitted for batched by bodhi.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Autopush (time)
submitted a year ago
in testing a year ago
in stable a year ago
modified a year ago

Related Bugs 12

00 #561214 Ch 4. Redundant Array of Independent Disks (RAID) - Anaconda screenshots / references needs updating
00 #584862 SELinux is preventing /usr/libexec/gdm-session-worker "add_name" access on .dmrc.MTJ1BV.
00 #1469771 CVE-2017-9953 exiv2: Segmentation fault in Image::printIFDStructure [fedora-all]
00 #1526053 CVE-2017-17669 exiv2: Heap-based buffer over-read in PngChunk::keyTXTChunk function of pngchunk_int.cpp [fedora-all]
00 #1545238 CVE-2017-17724 exiv2: heap-buffer-overflow in Exiv2::IptcData::printStructure in src/iptc.cpp [fedora-all]
00 #1564279 CVE-2018-9144 CVE-2018-9145 CVE-2018-9146 exiv2: various flaws [fedora-all]
00 #1566735 CVE-2018-9305 exiv2: out of bounds read in IptcData::printStructure in iptc.c
00 #1578661 CVE-2018-10958 exiv2: SIGABRT caused by memory allocation in types.cpp:Exiv2::Internal::PngChunk::zlibUncompress() [fedora-all]
00 #1579486 CVE-2018-10998 CVE-2018-10999 CVE-2018-11037 exiv2: various flaws [fedora-all]
00 #1590995 CVE-2018-12264 exiv2: integer overflow in getData function in preview.cpp [fedora-all]
00 #1590998 CVE-2018-12265 exiv2: integer overflow in the LoaderExifJpeg class in preview.cpp [fedora-all]
00 #1601629 CVE-2018-14046 exiv2: heap-based buffer over-read in WebPImage::decodeChunks in webpimage.cpp [fedora-all]

Automated Test Results