Vulnerability CVE-2024-25112: Information

Description

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-25112
Published: Feb. 13, 2024
Modified: Feb. 13, 2024
Error type identifier: CWE-400CWE-674

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
exiv2sisyphus0.28.2-alt10.28.2-alt1ALT-PU-2024-2322-1340673Fixed
exiv2sisyphus_e2k0.28.2-alt10.28.2-alt1ALT-PU-2024-2431-1-Fixed
exiv2sisyphus_riscv640.28.2-alt10.28.2-alt1ALT-PU-2024-3530-1-Fixed
exiv2sisyphus_loongarch640.28.2-alt10.28.2-alt1ALT-PU-2024-2389-1-Fixed
exiv2p110.28.2-alt10.28.2-alt1ALT-PU-2024-2322-1340673Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36
    https://github.com/Exiv2/exiv2/pull/2337
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top