[automatic] Publish 14 advisories for 5 packages

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkipdv-pcz6tu.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkipdv-pcz6tu"
+modified = 2025-10-08T03:23:00.739Z
+upstream = ["CVE-2023-47038"]
+references = ["https://access.redhat.com/errata/RHSA-2024:2228", "https://access.redhat.com/errata/RHSA-2024:3128", "https://access.redhat.com/security/cve/CVE-2023-47038", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746", "https://bugzilla.redhat.com/show_bug.cgi?id=2249523", "https://access.redhat.com/errata/RHSA-2024:2228", "https://access.redhat.com/errata/RHSA-2024:3128", "https://access.redhat.com/security/cve/CVE-2023-47038", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746", "https://bugzilla.redhat.com/show_bug.cgi?id=2249523", "https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010", "https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6", "https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3", "https://github.com/aquasecurity/trivy/discussions/8400", "https://lists.fedoraproject.org/archives/list/[email protected]/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/", "https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property", "https://ubuntu.com/security/CVE-2023-47100", "https://www.suse.com/security/cve/CVE-2023-47100.html"]
+
+[[affected]]
+pkg = "Perl_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2023-47038"
+imported = 2025-10-08T03:23:00.720Z
+modified = 2025-10-07T18:15:32.663Z
+published = 2023-12-18T14:15:08.933Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-47038"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-47038"
+```
+
+# A vulnerability was found in perl 5.30.0 through 5.38.0
+
+A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkiyhr-1irnhng.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkiyhr-1irnhng"
+modified = 2025-10-08T03:23:12.543Z
+upstream = ["CVE-2022-49043"]
+references = ["https://github.com/php/php-src/issues/17467", "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"]
+
+[[affected]]
+pkg = "XML2_jll"
+ranges = ["< 2.12.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-49043"
+imported = 2025-10-08T03:23:12.519Z
+modified = 2025-10-07T16:24:00.340Z
+published = 2025-01-26T06:15:21.000Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-49043"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-49043"
+```
+
+# xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
+
+xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkizwm-1d50wv3.md

@@ -0,0 +1,26 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkizwm-1d50wv3"
+modified = 2025-10-08T03:23:14.374Z
+upstream = ["CVE-2025-32988"]
+references = ["https://access.redhat.com/errata/RHSA-2025:16115", "https://access.redhat.com/errata/RHSA-2025:16116", "https://access.redhat.com/errata/RHSA-2025:17348", "https://access.redhat.com/errata/RHSA-2025:17361", "https://access.redhat.com/errata/RHSA-2025:17415", "https://access.redhat.com/security/cve/CVE-2025-32988", "https://bugzilla.redhat.com/show_bug.cgi?id=2359622"]
+
+[[affected]]
+pkg = "GnuTLS_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2025-32988"
+imported = 2025-10-08T03:23:14.374Z
+modified = 2025-10-07T12:15:43.753Z
+published = 2025-07-10T08:15:24.223Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-32988"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-32988"
+```
+
+# A flaw was found in GnuTLS
+
+A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.
+
+This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgoj-qmvd86.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgoj-qmvd86"
+modified = 2025-10-08T03:23:36.115Z
+upstream = ["CVE-2021-39212"]
+references = ["https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68", "https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e", "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr", "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html", "https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68", "https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e", "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr", "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html"]
+
+[[affected]]
+pkg = "ImageMagick_jll"
+ranges = [">= 6.9.12+0, < 6.9.12+4", ">= 7.1.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-39212"
+imported = 2025-10-08T03:23:36.115Z
+modified = 2024-11-21T06:18:54.870Z
+published = 2021-09-13T18:15:23.907Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-39212"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-39212"
+```
+
+# ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that ...
+
+ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgp1-w3mhcz.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgp1-w3mhcz"
+modified = 2025-10-08T03:23:36.133Z
+upstream = ["CVE-2021-37623"]
+references = ["https://github.com/Exiv2/exiv2/pull/1790", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1790", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37623"
+imported = 2025-10-08T03:23:36.133Z
+modified = 2024-11-21T06:15:32.637Z
+published = 2021-08-09T18:15:07.687Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37623"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37623"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgp8-1y13db2.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgp8-1y13db2"
+modified = 2025-10-08T03:23:36.140Z
+upstream = ["CVE-2021-37622"]
+references = ["https://github.com/Exiv2/exiv2/pull/1788", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1788", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37622"
+imported = 2025-10-08T03:23:36.140Z
+modified = 2024-11-21T06:15:32.490Z
+published = 2021-08-09T19:15:08.230Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37622"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37622"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when deleting the IPTC data, which is a less frequently used Exiv2 operation that requires an extra command line option (`-d I rm`). The bug is fixed in version v0.27.5.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgpf-zo7537.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgpf-zo7537"
+modified = 2025-10-08T03:23:36.147Z
+upstream = ["CVE-2021-37621"]
+references = ["https://github.com/Exiv2/exiv2/pull/1778", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1778", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37621"
+imported = 2025-10-08T03:23:36.147Z
+modified = 2024-11-21T06:15:32.350Z
+published = 2021-08-09T19:15:08.133Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37621"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37621"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgpm-ictj9x.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgpm-ictj9x"
+modified = 2025-10-08T03:23:36.154Z
+upstream = ["CVE-2021-37620"]
+references = ["https://github.com/Exiv2/exiv2/pull/1769", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1769", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728", "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37620"
+imported = 2025-10-08T03:23:36.154Z
+modified = 2024-11-21T06:15:32.200Z
+published = 2021-08-09T19:15:08.033Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37620"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37620"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgps-1mo4lqf.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgps-1mo4lqf"
+modified = 2025-10-08T03:23:36.160Z
+upstream = ["CVE-2021-37619"]
+references = ["https://github.com/Exiv2/exiv2/pull/1752", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1752", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37619"
+imported = 2025-10-08T03:23:36.160Z
+modified = 2024-11-21T06:15:32.060Z
+published = 2021-08-09T19:15:07.940Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37619"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37619"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.5.
+

advisories/published/2025/DONOTUSEJLSEC-0000-mnrpkjgpy-1y3cp2k.md

@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "DONOTUSEJLSEC-0000-mnrpkjgpy-1y3cp2k"
+modified = 2025-10-08T03:23:36.166Z
+upstream = ["CVE-2021-37618"]
+references = ["https://github.com/Exiv2/exiv2/pull/1759", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06", "https://github.com/Exiv2/exiv2/pull/1759", "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/", "https://security.gentoo.org/glsa/202312-06"]
+
+[[affected]]
+pkg = "Exiv2_jll"
+ranges = ["*"]
+
+[[jlsec_sources]]
+id = "CVE-2021-37618"
+imported = 2025-10-08T03:23:36.166Z
+modified = 2024-11-21T06:15:31.927Z
+published = 2021-08-09T19:15:07.780Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-37618"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-37618"
+```
+
+# Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the me...
+
+Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.
+