Bugzilla – Bug 1060995
VUL-1: CVE-2017-14864: exiv2: Invalid memory address dereference in Exiv2::getULong(types.cpp:246)
Last modified: 2022-10-28 17:28:53 UTC
rh#1494467 An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. References: https://bugzilla.redhat.com/show_bug.cgi?id=1494467 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14864 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14864.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
Created attachment 744675 [details] proof of concept
This is an autogenerated message for OBS integration: This bug (1060995) was mentioned in https://build.opensuse.org/request/show/534384 Factory / exiv2
was fixed as part of https://github.com/Exiv2/exiv2/pull/120 - submitted to Factory.
This is an autogenerated message for OBS integration: This bug (1060995) was mentioned in https://build.opensuse.org/request/show/613049 Factory / exiv2
SUSE-SU-2018:1882-1: An update that fixes 15 vulnerabilities is now available. Category: security (moderate) Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023 CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864 Sources used: SUSE Linux Enterprise Module for Desktop Applications 15 (src): exiv2-0.26-6.3.1
openSUSE-SU-2018:1961-1: An update that fixes 15 vulnerabilities is now available. Category: security (moderate) Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023 CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864 Sources used: openSUSE Leap 15.0 (src): exiv2-0.26-lp150.5.3.1
SUSE will not provide a fix for older products for this issue since the risk to our customers posed by this is negligible.
SUSE-SU-2018:3882-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1050257,1051188,1060995,1060996,1061000,1072928,1092952,1093095,1095070 CVE References: CVE-2017-11591,CVE-2017-11683,CVE-2017-14859,CVE-2017-14862,CVE-2017-14864,CVE-2017-17669,CVE-2018-10958,CVE-2018-10998,CVE-2018-11531 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): exiv2-0.23-12.5.1 SUSE Linux Enterprise Server 12-SP3 (src): exiv2-0.23-12.5.1 SUSE Linux Enterprise Desktop 12-SP3 (src): exiv2-0.23-12.5.1
SUSE-SU-2018:3882-2: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 1050257,1051188,1060995,1060996,1061000,1072928,1092952,1093095,1095070 CVE References: CVE-2017-11591,CVE-2017-11683,CVE-2017-14859,CVE-2017-14862,CVE-2017-14864,CVE-2017-17669,CVE-2018-10958,CVE-2018-10998,CVE-2018-11531 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): exiv2-0.23-12.5.1 SUSE Linux Enterprise Server 12-SP4 (src): exiv2-0.23-12.5.1 SUSE Linux Enterprise Desktop 12-SP4 (src): exiv2-0.23-12.5.1