Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2018-19107

Published: 8 November 2018

In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.

Notes

AuthorNote
mdeslaur
1-byte invalid read

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
exiv2
Launchpad, Ubuntu, Debian
bionic
Released (0.25-3.1ubuntu0.18.04.3)
cosmic
Released (0.25-4ubuntu0.2)
disco
Released (0.25-4ubuntu1.1)
precise Does not exist

trusty Does not exist
(trusty was needed)
upstream Needs triage

xenial
Released (0.25-2.1ubuntu16.04.4)
Patches:
upstream: https://github.com/Exiv2/exiv2/commit/68966932510213b5656fcf433ab6d7e26f48e23b
upstream: https://github.com/Exiv2/exiv2/commit/b7c71f3ad0386cd7af3b73443c0615ada073f0d5

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H