PT-2021-4573 · Exiv2+10 · Exiv2+10

Kevinbackhouse

·

Published

2021-04-23

·

Updated

2025-01-10

·

CVE-2021-29473

CVSS v2.0

2.6

Low

VectorAV:N/AC:H/Au:N/C:N/I:N/A:P
Name of the Vulnerable Software and Affected Versions Exiv2 versions v0.27.3 and earlier
Description An out-of-bounds read was found in Exiv2, triggered when it is used to write metadata into a crafted image file. This could potentially allow an attacker to cause a denial of service by crashing Exiv2 if they can trick the victim into running Exiv2 on a crafted image file. The bug is only triggered when writing metadata, which is a less frequently used operation than reading metadata. For example, to trigger the bug in the Exiv2 command-line application, an extra command-line argument such as insert is needed.
Recommendations For Exiv2 versions v0.27.3 and earlier, update to version v0.27.4 to resolve the issue. As a temporary workaround, consider avoiding the use of the insert command-line argument when running the Exiv2 command-line application on untrusted image files. Restrict access to writing metadata to minimize the risk of exploitation.

Exploit

Fix

DoS

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2021:4173
ALT-PU-2021-2006
ALT-PU-2021-3308
ALT-PU-2024-13399
AZL-7211
BDU:2021-05244
CESA-2021_4173
CVE-2021-29473
DLA-2750-1
DSA-4958-1
GHSA-7569-PHVM-VWC2
MGASA-2021-0240
OESA-2021-1183
OPENSUSE-SU-2022_4208-1
OPENSUSE-SU-2022_4276-1
RHSA-2021:4173
RHSA-2021_4173
RLSA-2021:4173
SUSE-SU-2022:4208-1
SUSE-SU-2022:4252-1
SUSE-SU-2022:4276-1
USN-4964-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Exiv2
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu