There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf function of pngimage.cpp in Exiv2 0.27-RC3. A crafted input will lead to a denial of service attack. Upstream issue: https://github.com/Exiv2/exiv2/issues/590 References: https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206
Created exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1660427] Created mingw-exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1660428]
Upstream fix: https://github.com/Exiv2/exiv2/commit/4f9c912c2267f1bc33d9c28f1b063d571770af75 https://github.com/Exiv2/exiv2/commit/902dad0a6eae98b0057cae1b13e78f476f053fae
Statement: This issue affects the versions of exiv2 as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. This issue affects the versions of exiv2 as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2101 https://access.redhat.com/errata/RHSA-2019:2101
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20096
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1577 https://access.redhat.com/errata/RHSA-2020:1577