From owner-dev-commits-ports-all@freebsd.org Sun Jul 4 20:56:29 2021 Return-Path: Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6739564BEFA; Sun, 4 Jul 2021 20:56:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GJ1MK284Tz4Tr2; Sun, 4 Jul 2021 20:56:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 31D8D194D1; Sun, 4 Jul 2021 20:56:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 164KuTl1043773; Sun, 4 Jul 2021 20:56:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 164KuT2j043772; Sun, 4 Jul 2021 20:56:29 GMT (envelope-from git) Date: Sun, 4 Jul 2021 20:56:29 GMT Message-Id: <202107042056.164KuT2j043772@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Tobias C. Berner" Subject: git: 0e1cf83190b5 - main - security/vuxml: document vulnerabilities in graphics/exiv2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tcberner X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0e1cf83190b530cb73a9c086a4a2ca1d30776996 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2021 20:56:29 -0000 The branch main has been updated by tcberner: URL: https://cgit.FreeBSD.org/ports/commit/?id=0e1cf83190b530cb73a9c086a4a2ca1d30776996 commit 0e1cf83190b530cb73a9c086a4a2ca1d30776996 Author: Daniel Engberg AuthorDate: 2021-07-04 20:55:14 +0000 Commit: Tobias C. Berner CommitDate: 2021-07-04 20:55:52 +0000 security/vuxml: document vulnerabilities in graphics/exiv2 PR: 256803 --- security/vuxml/vuln-2021.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 5e1873ff889f..a43789bf44ff 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,59 @@ + + Exiv2 -- Multiple vulnerabilities + + + exiv2 + 0.27.4,1 + + + + +

Exiv2 teams reports:

+
Multiple vulnerabilities covering buffer overflows, out-of-bounds, + read of uninitialized memory and denial of serivce. The heap + overflow is triggered when Exiv2 is used to read the metadata of + a crafted image file. An attacker could potentially exploit the + vulnerability to gain code execution, if they can trick the victim + into running Exiv2 on a crafted image file. The out-of-bounds read + is triggered when Exiv2 is used to write metadata into a crafted + image file. An attacker could potentially exploit the vulnerability + to cause a denial of service by crashing Exiv2, if they can trick + the victim into running Exiv2 on a crafted image file. The read of + uninitialized memory is triggered when Exiv2 is used to read the + metadata of a crafted image file. An attacker could potentially + exploit the vulnerability to leak a few bytes of stack memory, if + they can trick the victim into running Exiv2 on a crafted image + file.
+

+ + + + CVE-2021-29457 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm + CVE-2021-29458 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5 + CVE-2021-29463 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr + CVE-2021-29464 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p + CVE-2021-29470 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj + CVE-2021-29473 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2 + CVE-2021-29623 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v + CVE-2021-32617 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj + CVE-2021-3482 + https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9 + + + 2021-04-25 + 2021-06-30 + + + openexr v3.0.5 -- fixes miscellaneous security issues