CVE-2019-17402
First published: Wed Oct 09 2019(Updated: )
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/exiv2 | <0.25-3.1ubuntu0.18.04.4 | 0.25-3.1ubuntu0.18.04.4 |
| ubuntu/exiv2 | <0.25-4ubuntu1.2 | 0.25-4ubuntu1.2 |
| ubuntu/exiv2 | <0.25-4ubuntu2.1 | 0.25-4ubuntu2.1 |
| ubuntu/exiv2 | <0.25-2.1ubuntu16.04.5 | 0.25-2.1ubuntu16.04.5 |
| debian/exiv2 | 0.27.3-3+deb11u2 0.27.3-3+deb11u1 0.27.6-1 | |
| Exiv2 | =0.27.2 | |
| Debian | =8.0 | |
| Debian | =10.0 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Ubuntu | =19.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Exiv2/exiv2/issues/1019
- https://lists.debian.org/debian-lts-announce/2019/12/msg00001.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html
- https://usn.ubuntu.com/4159-1/
- https://launchpad.net/bugs/cve/CVE-2019-17402
- https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076
- https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec
- https://github.com/Exiv2/exiv2/issues/1026
- https://security-tracker.debian.org/tracker/CVE-2019-17402
- https://ubuntu.com/security/notices/USN-4159-1
- https://www.cve.org/CVERecord?id=CVE-2019-17402
- https://nvd.nist.gov/vuln/detail/CVE-2019-17402
- https://github.com/Exiv2/exiv2/commit/b7890776c62398ca1005e8edc32786859d60fcf7
- https://github.com/phako/exiv2/commit/73b874fb14d02578f876aa7dd404cf7c07b6dc4e
- https://ubuntu.com/security/CVE-2019-17402
Frequently Asked Questions
What is the severity of CVE-2019-17402?
CVE-2019-17402 is classified as a high severity vulnerability due to its potential to cause application crashes.
How do I fix CVE-2019-17402?
To fix CVE-2019-17402, upgrade Exiv2 to version 0.27.3 or later for Debian or use the specified patched versions for Ubuntu as indicated in the affected software details.
What versions of Exiv2 are affected by CVE-2019-17402?
Exiv2 version 0.27.2 is the affected version for CVE-2019-17402.
Can CVE-2019-17402 be exploited remotely?
CVE-2019-17402 can be exploited through maliciously crafted images, potentially affecting systems running vulnerable versions.
What is the impact of CVE-2019-17402 on my system?
The impact of CVE-2019-17402 can lead to application crashes resulting in loss of service for applications using Exiv2.
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/ubuntu
- package-manager/debian
- vendor/exiv2
- canonical/exiv2
- version/exiv2/0.27.2
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/10.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- version/ubuntu/19.10