Advisories | Mandriva

Package name	exiv2
Date	January 10th, 2008
Advisory ID	MDVSA-2008:006
Affected versions	2007.1, 2008.0

Problem Description

An integer overflow in the Exiv2 library allows context-dependent
attackers to execute arbitrary code via a crafted EXIF file that
triggers a heap-based buffer overflow.

The updated packages have been patched to correct these issues.

Updated Packages

Mandriva Linux 2007.1

 290bc944bde4ad24657c9ee13d4534fa  2007.1/i586/exiv2-0.13-1.1mdv2007.1.i586.rpm
 7614143070ac823195d7336a9655e76d  2007.1/i586/libexiv2-0.13-1.1mdv2007.1.i586.rpm
 74450450b9a598a3544e46d2bb4242a9  2007.1/i586/libexiv2-devel-0.13-1.1mdv2007.1.i586.rpm 
 e212cd2efcb56fbe00e892ebfec25d29  2007.1/SRPMS/exiv2-0.13-1.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64

 e2eb212bb7bd0a427345ac369cb0c3e4  2007.1/x86_64/exiv2-0.13-1.1mdv2007.1.x86_64.rpm
 3c88001c423399c87112be1f90512131  2007.1/x86_64/lib64exiv2-0.13-1.1mdv2007.1.x86_64.rpm
 0eed3499a9da4580f93b03e45d793ff1  2007.1/x86_64/lib64exiv2-devel-0.13-1.1mdv2007.1.x86_64.rpm 
 e212cd2efcb56fbe00e892ebfec25d29  2007.1/SRPMS/exiv2-0.13-1.1mdv2007.1.src.rpm

Mandriva Linux 2008.0

 9b81584225e84a2a5bc08110bb404441  2008.0/i586/exiv2-0.15-2.1mdv2008.0.i586.rpm
 014a0adbac5779e8178b77cd5e09a401  2008.0/i586/libexiv2-0.15-2.1mdv2008.0.i586.rpm
 acac434936c9d130e0209107e44b01eb  2008.0/i586/libexiv2-devel-0.15-2.1mdv2008.0.i586.rpm 
 78ea6a6e976bf2c6097bc0a122282434  2008.0/SRPMS/exiv2-0.15-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64

 f9e4cc439fa9444972f7755a7c2cee0d  2008.0/x86_64/exiv2-0.15-2.1mdv2008.0.x86_64.rpm
 00ce23b495092284b73d2ec29bbba4cf  2008.0/x86_64/lib64exiv2-0.15-2.1mdv2008.0.x86_64.rpm
 d716f5eaebd041364d409569980f1f8b  2008.0/x86_64/lib64exiv2-devel-0.15-2.1mdv2008.0.x86_64.rpm 
 78ea6a6e976bf2c6097bc0a122282434  2008.0/SRPMS/exiv2-0.15-2.1mdv2008.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6353

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.