A vulnerability classified as critical has been found in Exiv2 up to 0.27.1 (Image Processing Software). Affected is the function WebPImage::decodeChunks of the component webp File Handler. The manipulation as part of a Image File leads to a integer overflow vulnerability. CWE is classifying the issue as CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file.

The weakness was released 06/30/2019 (Website). The advisory is available at lists.fedoraproject.org. This vulnerability is traded as CVE-2019-13111 since 06/30/2019. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 137104, 137105, 137103 and 137107.

Productinfo

Type

• Image Processing Software

Name

• Exiv2

Version

• 0.27.0
• 0.27.1

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion