ALAS2-2025-3086

References: CVE-2025-54080  CVE-2025-55304 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6. (CVE-2025-54080)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6. (CVE-2025-55304)

Issue Correction:
Run yum update exiv2 or yum update --advisory ALAS2-2025-3086 to update your system.

New Packages:

aarch64:
    exiv2-0.27.0-4.amzn2.0.6.aarch64
    exiv2-devel-0.27.0-4.amzn2.0.6.aarch64
    exiv2-libs-0.27.0-4.amzn2.0.6.aarch64
    exiv2-debuginfo-0.27.0-4.amzn2.0.6.aarch64

i686:
    exiv2-0.27.0-4.amzn2.0.6.i686
    exiv2-devel-0.27.0-4.amzn2.0.6.i686
    exiv2-libs-0.27.0-4.amzn2.0.6.i686
    exiv2-debuginfo-0.27.0-4.amzn2.0.6.i686

noarch:
    exiv2-doc-0.27.0-4.amzn2.0.6.noarch

src:
    exiv2-0.27.0-4.amzn2.0.6.src

x86_64:
    exiv2-0.27.0-4.amzn2.0.6.x86_64
    exiv2-devel-0.27.0-4.amzn2.0.6.x86_64
    exiv2-libs-0.27.0-4.amzn2.0.6.x86_64
    exiv2-debuginfo-0.27.0-4.amzn2.0.6.x86_64