PublicDateAtUSN: 2021-05-13 17:15:00 UTC
Candidate: CVE-2021-29623
PublicDate: 2021-05-13 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623
 https://github.com/Exiv2/exiv2/pull/1627
 https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v
 https://ubuntu.com/security/notices/USN-4964-1
Description:
 Exiv2 is a C++ library and a command-line utility to read, write, delete
 and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized
 memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a
 command-line utility and C++ library for reading, writing, deleting, and
 modifying the metadata of image files. The read of uninitialized memory is
 triggered when Exiv2 is used to read the metadata of a crafted image file.
 An attacker could potentially exploit the vulnerability to leak a few bytes
 of stack memory, if they can trick the victim into running Exiv2 on a
 crafted image file. The bug is fixed in version v0.27.4.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N [3.3 LOW]


Patches_exiv2:
 upstream: https://github.com/Exiv2/exiv2/pull/1627/commits/82e46b5524fb904e6660dadd2c6d8e5e47375a1a
upstream_exiv2: released (v0.27.4)
precise/esm_exiv2: DNE
trusty_exiv2: ignored (out of standard support)
trusty/esm_exiv2: DNE
xenial_exiv2: ignored (out of standard support)
esm-infra/xenial_exiv2: not-affected (code not present)
bionic_exiv2: not-affected (code not present)
focal_exiv2: released (0.27.2-8ubuntu2.4)
groovy_exiv2: released (0.27.3-3ubuntu0.4)
hirsute_exiv2: released (0.27.3-3ubuntu1.3)
impish_exiv2: released (0.27.3-3ubuntu3)
jammy_exiv2: released (0.27.3-3ubuntu3)
devel_exiv2: released (0.27.3-3ubuntu3)