ALAS2023-2025-1296

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1296
Advisory Released Date: 2025-12-08
Advisory Updated Date: 2025-12-08
Severity: Medium
Issue Overview:

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6. (CVE-2025-54080)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6. (CVE-2025-55304)


Affected Packages:

exiv2


Issue Correction:
Run dnf update exiv2 --releasever 2023.9.20251208 or dnf update --advisory ALAS2023-2025-1296 --releasever 2023.9.20251208 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    exiv2-libs-debuginfo-0.28.5-129.amzn2023.aarch64
    exiv2-debugsource-0.28.5-129.amzn2023.aarch64
    exiv2-debuginfo-0.28.5-129.amzn2023.aarch64
    exiv2-libs-0.28.5-129.amzn2023.aarch64
    exiv2-0.28.5-129.amzn2023.aarch64
    exiv2-devel-0.28.5-129.amzn2023.aarch64

noarch:
    exiv2-doc-0.28.5-129.amzn2023.noarch

src:
    exiv2-0.28.5-129.amzn2023.src

x86_64:
    exiv2-libs-debuginfo-0.28.5-129.amzn2023.x86_64
    exiv2-debuginfo-0.28.5-129.amzn2023.x86_64
    exiv2-debugsource-0.28.5-129.amzn2023.x86_64
    exiv2-libs-0.28.5-129.amzn2023.x86_64
    exiv2-devel-0.28.5-129.amzn2023.x86_64
    exiv2-0.28.5-129.amzn2023.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-54080, CVE-2025-55304

Mitre: CVE-2025-54080, CVE-2025-55304