CVE-2019-13108 — Integer Overflow or Wraparound in Exiv2

CWE-190 — Integer Overflow or Wraparound CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 35.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Debian Exiv2 Fedoraproject Fedora

Timeline

PublishedJun 30

Latest updateMay 24

Description

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/exiv2< exiv2 0.27.2-6 (bookworm)

▶Debianexiv2/exiv2< 0.27.2-6+3

▶NVDexiv2/exiv20.27.1

Also affects: Fedora 30

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f8xc-4q5g-48f2: An integer overflow in Exiv2 through 0↗2022-05-24

▶

OSV

CVE-2019-13108: An integer overflow in Exiv2 through 0↗2019-06-30

▶

📋Vendor Advisories

Red Hat

exiv2: integer overflow PngImage::readMetadata leads to denial of service↗2019-06-30

▶

Debian

CVE-2019-13108: exiv2 - An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial...↗2019

▶

💬Community

Bugzilla

CVE-2019-13108 exiv2: integer overflow PngImage::readMetadata leads to denial of service↗2019-07-10

▶

Bugzilla

CVE-2019-13108 exiv2: integer overflow PngImage::readMetadata leads to denial of service [fedora-all]↗2019-07-10

▶