Bugzilla – Bug 1186192
VUL-0: CVE-2021-32617: exiv2: An inefficient algorithm (quadratic complexity) can cause a denial of service when run on a malicious crafted image file
Last modified: 2024-05-16 14:13:06 UTC
CVE-2021-32617 Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `rm`. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32617 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617 https://github.com/Exiv2/exiv2/pull/1657 https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
Affected versions: < v0.27.4 Patched versions : v0.27.4 Affected packages: - SUSE:SLE-11:Update/exiv2 0.17.1 - SUSE:SLE-12:Update/exiv2 0.23 - SUSE:SLE-15:Update/exiv2 0.26 - openSUSE:Factory/exiv2 0.27.3 Upstream patch: https://github.com/Exiv2/exiv2/commit/8c53e4687b19b1951b6860bdc89962d420b1b624.patch
ping, any updates here?
submitted for SLE11, SLE12, SLE15. added to changelog in Factory.
This is an autogenerated message for OBS integration: This bug (1186192) was mentioned in https://build.opensuse.org/request/show/1006717 Factory / exiv2
SUSE-SU-2022:3543-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1186192,1188733 CVE References: CVE-2021-31291,CVE-2021-32617 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): exiv2-0.23-12.11.1 SUSE Linux Enterprise Server 12-SP5 (src): exiv2-0.23-12.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3598-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 1076579,1086798,1086810,1092096,1114690,1185447,1186192,1188733,1188756,1189330,1189331,1189332,1189333,1189636,1189780 CVE References: CVE-2018-10772,CVE-2018-18915,CVE-2018-5772,CVE-2018-8976,CVE-2018-8977,CVE-2020-18898,CVE-2020-18899,CVE-2021-29470,CVE-2021-31291,CVE-2021-31292,CVE-2021-32617,CVE-2021-37618,CVE-2021-37619,CVE-2021-37620,CVE-2021-37621 JIRA References: Sources used: openSUSE Leap 15.4 (src): exiv2-0.26-150000.6.16.1 openSUSE Leap 15.3 (src): exiv2-0.26-150000.6.16.1 SUSE Manager Server 4.1 (src): exiv2-0.26-150000.6.16.1 SUSE Manager Retail Branch Server 4.1 (src): exiv2-0.26-150000.6.16.1 SUSE Manager Proxy 4.1 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server for SAP 15 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Server 15-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): exiv2-0.26-150000.6.16.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): exiv2-0.26-150000.6.16.1 SUSE Enterprise Storage 7 (src): exiv2-0.26-150000.6.16.1 SUSE Enterprise Storage 6 (src): exiv2-0.26-150000.6.16.1 SUSE CaaS Platform 4.0 (src): exiv2-0.26-150000.6.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1186192) was mentioned in https://build.opensuse.org/request/show/1030698 Factory / exiv2
SUSE-SU-2022:3889-1: An update that solves 15 vulnerabilities, contains one feature and has one errata is now available. Category: security (important) Bug References: 1068871,1142675,1142679,1185002,1185218,1185447,1185913,1186053,1186192,1188645,1188733,1189332,1189333,1189334,1189335,1189338 CVE References: CVE-2017-1000128,CVE-2019-13108,CVE-2019-13111,CVE-2020-19716,CVE-2021-29457,CVE-2021-29463,CVE-2021-29470,CVE-2021-29623,CVE-2021-31291,CVE-2021-32617,CVE-2021-34334,CVE-2021-37620,CVE-2021-37621,CVE-2021-37622,CVE-2021-37623 JIRA References: PED-1393 Sources used: openSUSE Leap 15.4 (src): exiv2-0.27.5-150400.15.4.1, exiv2-0_26-0.26-150400.9.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): exiv2-0.27.5-150400.15.4.1, exiv2-0_26-0.26-150400.9.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.