Bugzilla – Bug 1205391
VUL-0: CVE-2022-3953: exiv2: infinite loop in QuickTimeVideo::multipleEntriesDecoder()
Last modified: 2022-11-14 23:35:08 UTC
CVE-2022-3953 A vulnerability was found in Exiv2. It has been classified as problematic. This affects the function QuickTimeVideo::multipleEntriesDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to infinite loop. It is possible to initiate the attack remotely. The name of the patch is 771ead87321ae6e39e5c9f6f0855c58cde6648f1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213459. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3953 https://github.com/Exiv2/exiv2/commit/771ead87321ae6e39e5c9f6f0855c58cde6648f1 https://www.cve.org/CVERecord?id=CVE-2022-3953 https://github.com/Exiv2/exiv2/pull/2394 https://vuldb.com/?id.213459
Affected: - SUSE:SLE-15:Update/exiv2 - SUSE:SLE-15-SP4:Update/exiv2 - openSUSE:Factory/exiv2
How did you determine that we're affected? quicktime video is not compiled on SLE15-SP4 and older: iosc rbl SUSE:SLE-15-SP4:Update exiv2.26338 standard x86_64 | grep "Building video" [ 78s] -- Building video support: NO
(In reply to Dirk Mueller from comment #2) > How did you determine that we're affected? quicktime video is not compiled > on SLE15-SP4 and older: > > iosc rbl SUSE:SLE-15-SP4:Update exiv2.26338 standard x86_64 | grep "Building > video" > [ 78s] -- Building video support: NO I only examined the codebase, not the build options, you're right. On SUSE:SLE-15:Update/exiv2 it seems we do not enable it as well: exiv2.spec:119: -DEXIV2_ENABLE_VIDEO:BOOL=OFF \ Closing the bug, nothing to fix.
This is an autogenerated message for OBS integration: This bug (1205391) was mentioned in https://build.opensuse.org/request/show/1035633 Factory / exiv2
This is an autogenerated message for OBS integration: This bug (1205391) was mentioned in https://build.opensuse.org/request/show/1035724 Factory / exiv2