Bugzilla – Bug 1142677
VUL-1: CVE-2019-13109: exiv2: denial of service in PngImage:readMetadata
Last modified: 2022-11-29 17:41:12 UTC
CVE-2019-13109 An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction. Reference: https://github.com/Exiv2/exiv2/issues/790 https://github.com/Exiv2/exiv2/pull/795 References: https://bugzilla.redhat.com/show_bug.cgi?id=1728484 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13109 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13109.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13109 http://www.cvedetails.com/cve/CVE-2019-13109/ https://github.com/Exiv2/exiv2/issues/790 https://github.com/Exiv2/exiv2/pull/795
Submitted for SLE15 and SLE15-SP4
SUSE-SU-2022:4208-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1050257,1095070,1110282,1119559,1119560,1119562,1142677,1142678,1153577,1186231,1189337 CVE References: CVE-2017-11591,CVE-2018-11531,CVE-2018-17581,CVE-2018-20097,CVE-2018-20098,CVE-2018-20099,CVE-2019-13109,CVE-2019-13110,CVE-2019-17402,CVE-2021-29473,CVE-2021-32815 JIRA References: Sources used: openSUSE Leap 15.4 (src): exiv2-0_26-0.26-150400.9.21.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): exiv2-0_26-0.26-150400.9.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4276-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1050257,1095070,1110282,1119559,1119560,1119562,1142677,1142678,1153577,1186231,1189337 CVE References: CVE-2017-11591,CVE-2018-11531,CVE-2018-17581,CVE-2018-20097,CVE-2018-20098,CVE-2018-20099,CVE-2019-13109,CVE-2019-13110,CVE-2019-17402,CVE-2021-29473,CVE-2021-32815 JIRA References: Sources used: openSUSE Leap 15.3 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Server 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Retail Branch Server 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Proxy 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Enterprise Storage 7 (src): exiv2-0.26-150000.6.26.1 SUSE Enterprise Storage 6 (src): exiv2-0.26-150000.6.26.1 SUSE CaaS Platform 4.0 (src): exiv2-0.26-150000.6.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.