[Pkg-kde-extras] Bug#1055470: exiv2: CVE-2023-44398
Salvatore Bonaccorso
carnil at debian.org
Mon Nov 6 21:14:11 GMT 2023
Source: exiv2
Version: 0.28.0+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for exiv2.
CVE-2023-44398[0]:
| Exiv2 is a C++ library and a command-line utility to read, write,
| delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-
| bounds write was found in Exiv2 version v0.28.0. The vulnerable
| function, `BmffImage::brotliUncompress`, is new in v0.28.0, so
| earlier versions of Exiv2 are _not_ affected. The out-of-bounds
| write is triggered when Exiv2 is used to read the metadata of a
| crafted image file. An attacker could potentially exploit the
| vulnerability to gain code execution, if they can trick the victim
| into running Exiv2 on a crafted image file. This bug is fixed in
| version v0.28.1. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44398
https://www.cve.org/CVERecord?id=CVE-2023-44398
[1] https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r
Regards,
Salvatore
More information about the pkg-kde-extras
mailing list