Bug 26561

Summary:	exiv2 new security issue CVE-2019-13111
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, sysadmin-bugs, tarazed25, tmb
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	exiv2-0.27.1-3.3.mga7.src.rpm	CVE:	CVE-2019-13111
Status comment:

Description David Walser 2020-04-28 19:15:23 CEST

RedHat has issued an advisory today (April 28):
https://access.redhat.com/errata/RHSA-2020:1577

The issue is fixed upstream in 0.27.2.

Comment 1 Nicolas Salguero 2020-04-29 10:33:41 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (large heap allocation followed by a very long running loop) via a crafted WEBP image file. (CVE-2019-13111)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13111
https://access.redhat.com/errata/RHSA-2020:1577
========================

Updated packages in core/updates_testing:
========================
exiv2-0.27.1-3.4.mga7
lib(64)exiv2_27-0.27.1-3.4.mga7
lib(64)exiv2-devel-0.27.1-3.4.mga7
exiv2-doc-0.27.1-3.4.mga7

from SRPMS:
exiv2-0.27.1-3.4.mga7.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-13111
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2020-04-30 18:18:09 CEST

mga7, x86_64
$ rpm -qa | grep exiv2
exiv2-0.27.1-3.3.mga7
lib64exiv2_27-0.27.1-3.3.mga7
lib64gexiv2_2-0.12.0-3.mga7
lib64kf5exiv2_5-19.04.0-2.mga7

CVE-2019-13111
https://github.com/Exiv2/exiv2/issues/791
Downloaded the test image and renamed it to something more manageable.

$ time exiv2 poc1.jpg
File name       : poc1.jpg
File size       : 28 Bytes
MIME type       : image/webp
Image size      : 0 x 0
poc1.jpg: No Exif data found in the file

real	0m41.758s
user	0m40.012s
sys	0m1.732s

$ ulimit -v 4000000
$ exiv2 poc1.jpg
Uncaught exception: std::bad_alloc

Updated the packages listed on the bug.

$ time exiv2 poc1.jpg
Exiv2 exception in print action for file poc1.jpg:
corrupted image metadata

real	0m0.007s
user	0m0.002s
sys	0m0.005s

<Immediate return>
$ exiv2 poc1.jpg
Exiv2 exception in print action for file poc1.jpg:
corrupted image metadata

The fix is confirmed.
Referring to https://bugs.mageia.org/show_bug.cgi?id=26171 for testing hints.

$ exiv2 -c "QA exiv2 test" SaturnColors_CassiniSchmidt.jpg
$ strings SaturnColors_CassiniSchmidt.jpg | grep QA
QA exiv2 test
$ exiv2 -pc SaturnColors_CassiniSchmidt.jpg | grep QA
QA exiv2 test
$ strace -o thumb.trace gthumb .
$ grep exiv2 thumb.trace
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 25
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 24
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 24
stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=148064, ...}) = 0
$ strace -o dark.trace darktable
$ grep exiv2 dark.trace
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexiv2.so.0.27.1", O_RDONLY) = 3

Good enough - no regressions.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2020-05-01 00:23:36 CEST

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-05 12:12:04 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 4 Mageia Robot 2020-05-05 14:22:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0196.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED