CVE-2021-32617: Denial of service in Exiv2
First published: Mon May 17 2021(Updated: )
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `rm`.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/exiv2 | <0.27.4 | 0.27.4 |
| CentOS Dos2unix | <0.27.4 | |
| Fedora | =33 | |
| Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Exiv2/exiv2/pull/1657
- https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2BPQNJKTRIDINTVJ22QMMTIZEPHVKXK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQAKFIQHW2AS3AGSJM42ABOA6CWIJBGM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZ5SGWHK64TB7ADRSVBGHEPDFN5CSOO3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2BPQNJKTRIDINTVJ22QMMTIZEPHVKXK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQAKFIQHW2AS3AGSJM42ABOA6CWIJBGM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZ5SGWHK64TB7ADRSVBGHEPDFN5CSOO3/
- https://security.gentoo.org/glsa/202312-06
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1961692
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1961693
- https://access.redhat.com/errata/RHSA-2021:4173
- https://bugzilla.redhat.com/show_bug.cgi?id=1961691
Frequently Asked Questions
What is the severity of CVE-2021-32617?
CVE-2021-32617 has been categorized with a severity rating that indicates a potential denial-of-service vulnerability due to an inefficient algorithm.
How do I fix CVE-2021-32617?
To fix CVE-2021-32617, update Exiv2 to version 0.27.4 or later.
Which versions of Exiv2 are affected by CVE-2021-32617?
Exiv2 versions prior to 0.27.4 are affected by CVE-2021-32617.
What types of software does CVE-2021-32617 impact?
CVE-2021-32617 impacts Exiv2 as well as specific Fedora distributions such as Fedora 33 and 34.
What type of vulnerability is CVE-2021-32617?
CVE-2021-32617 is classified as a denial-of-service vulnerability caused by inefficient processing of metadata in image files.
- agent/type
- agent/event
- agent/remedy
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32617
- agent/software-canonical-lookup
- agent/title
- agent/severity
- agent/weakness
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/redhat
- vendor/exiv2
- canonical/centos dos2unix
- vendor/fedoraproject
- canonical/fedora
- version/fedora/33
- version/fedora/34