Overview

File _patchinfo of Package patchinfo.7392

<patchinfo incident="7392">
  <issue id="1061003" tracker="bnc">VUL-0: CVE-2017-14865: exiv2: It is a heap-buffer-overflow in Exiv2::us2Data (types.cpp:346)</issue>
  <issue id="1051188" tracker="bnc">VUL-1: CVE-2017-11683: exiv2: DoS via triggered assertion in  tiffvisitor.cpp</issue>
  <issue id="1060996" tracker="bnc">VUL-0: CVE-2017-14862: exiv2: Invalid memory address dereference in Exiv2::DataValue::read (value.cpp:193)</issue>
  <issue id="1061000" tracker="bnc">VUL-0: CVE-2017-14859: exiv2: Invalid memory address dereference in Exiv2::StringValueBase::read ( in value.cpp:302)</issue>
  <issue id="1050257" tracker="bnc">VUL-1: CVE-2017-11591: exiv2: Floating point exception in Exiv2::ValueType</issue>
  <issue id="2017-11683" tracker="cve" />
  <issue id="2017-14862" tracker="cve" />
  <issue id="2017-14859" tracker="cve" />
  <issue id="2017-14865" tracker="cve" />
  <issue id="2017-11591" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>dirkmueller</packager>
  <description>

This update for exiv2 fixes the following issues:

Security issues fixed:

- CVE-2017-11591: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input. (boo#1050257)
- CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.  (boo#1051188)
- CVE-2017-14865: There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. (boo#1061003)
- CVE-2017-14862: An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. (boo#1060996)
- CVE-2017-14859: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. (boo#1061000)

</description>
  <summary>Security update for exiv2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places