CVE-2021-29458

medium

Published 2021-11-09 · Modified 2021-11-09

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

RHSA-2021:4173: exiv2 security, bug fix, and enhancement update (Moderate)

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description exiv2: Out-of-bounds read in Exiv2::Internal::CrwMap::encode CVSS v3: 6.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 8exiv2-0:0.27.4-5.el8RHSA-2021:41732021-11-09T00:00:00Z Package state ProductPackageState Red Hat Enterprise Linux 6exiv2Out of support scope Red Hat Enterprise Linux 7exiv2Out of…

Description

exiv2: Out-of-bounds read in Exiv2::Internal::CrwMap::encode

CVSS v3: 6.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`exiv2-0:0.27.4-5.el8`	RHSA-2021:4173	2021-11-09T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`exiv2`	Out of support scope
Red Hat Enterprise Linux 7	`exiv2`	Out of support scope
Red Hat Enterprise Linux 9	`exiv2`	Not affected

Apply commands

bash fix

Apply RHSA-2021:4173 for Red Hat Enterprise Linux 8

yum update -y exiv2
# or:
dnf upgrade -y exiv2

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 9	`Not affected`

OS impact

OS	Version	Status	Fixed in
arch		fixed	`0.27.4-1`
sles		affected
debian	bookworm	fixed	`0.27.5-1`
debian	bullseye	fixed	`0.27.3-3+deb11u2`
debian	forky	fixed	`0.27.5-1`
debian	sid	fixed	`0.27.5-1`
debian	trixie	fixed	`0.27.5-1`
rocky	8	fixed
rhel	8	fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.