| Summary: | exiv2 new security issues CVE-2021-3482, CVE-2021-2945[78], CVE-2021-2946[34], CVE-2021-2947[03], CVE-2021-29623, CVE-2021-32617 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | exiv2-0.27.3-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-05-29 01:01:44 CEST
David Walser
2021-05-29 01:02:06 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO
David Walser
2021-05-29 01:03:48 CEST
Summary:
exiv2 new security issues =>
exiv2 new security issues CVE-2021-3482, CVE-2021-2945[78], CVE-2021-2946[34], CVE-2021-2947[03], CVE-2021-29623, CVE-2021-32617 Fedora has issued an advisory for some of these issues on May 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/ Fedora has issued an advisory for the last two issues today (May 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/ Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482) Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29457) Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458) Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-29463) Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2021-29464) Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470) Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473) Read of uninitialized memory may lead to information leak. (CVE-2021-29623) DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617 https://ubuntu.com/security/notices/USN-4941-1 https://ubuntu.com/security/notices/USN-4964-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/ ======================== Updated packages in 7/core/updates_testing: ======================== exiv2-0.27.1-3.5.mga7 lib(64)exiv2_27-0.27.1-3.5.mga7 lib(64)exiv2-devel-0.27.1-3.5.mga7 exiv2-doc-0.27.1-3.5.mga7 from SRPM: exiv2-0.27.1-3.5.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== exiv2-0.27.3-1.1.mga8 lib(64)exiv2_27-0.27.3-1.1.mga8 lib(64)exiv2-devel-0.27.3-1.1.mga8 exiv2-doc-0.27.3-1.1.mga8 from SRPM: exiv2-0.27.3-1.1.mga8.src.rpm Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO mga8, x64 CVE-2021-3482 https://github.com/Exiv2/exiv2/issues/1522 $ exiv2 poc.jpg File name : poc.jpg File size : 268 Bytes MIME type : image/jp2 Image size : 0 x 0 poc.jpg: No Exif data found in the file Not obvious if this is an effective PoC. Maybe fixed already. CVE-2021-29457 https://github.com/Exiv2/exiv2/issues/1529 The PoC comes as two files poc and poc.exv. The actual names need to be shortened for legibility. $ exiv2 in tests_29457 Segmentation fault (core dumped) CVE-2021-29458 https://github.com/Exiv2/exiv2/issues/1530 $ exiv2 in tests_29458 Segmentation fault (core dumped) CVE-2021-294{58,63,64} no PoC found CVE-2021-294{70,73} regression tests mentioned, no explicit instructions CVE-2021-29623 No PoC CVE-2021-32617 PoC involves a large invalid file, not tested upstream Updated the four packages. Ran the available PoC. The first one, for CVE-2021-3482, returned the same output as before. $ exiv2 in tests_29457 tests_29457: Could not write metadata to file: corrupted image metadata $ exiv2 in tests_29458 tests_29458: Could not write metadata to file: corrupted image metadata Good results for those two. Place a comment in an image file. $ exiv2 -c "Orange smog here" PIA19642Titan.jpg $ strings PIA19642Titan.jpg | grep smog Orange smog here $ exiv2 -pc PIA19642Titan.jpg Orange smog here Ran a couple of applications which use libexiv2. $ strace -o thumb.trace gthumb . $ grep exiv2 thumb.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 25 stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=156248, ...}) = 0 $ strace -o dark.trace darktable $ grep exiv2 dark.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3 Giving this an OK. CC:
(none) =>
tarazed25 mga7, x86_64 Tested the PoC using the files from the mga8 tests. CVE-2021-3482 $ exiv2 poc.jpg [...] poc.jpg: No Exif data found in the file CVE-2021-29457 $ exiv2 in tests_29457 Segmentation fault (core dumped) CVE-2021-29458 $ exiv2 in tests_29458 $ This segfaults upstream. Updated the packages. PoC tests: Same output for CVE-2021-3482. $ exiv2 in tests_29457 tests_29457: Could not write metadata to file: corrupted image metadata <good result> $ exiv2 in tests_29458 $ <This one is equivocal - maybe fixed already - ?> Probably not worth pursuing this given that mga7 is close to EOS. Placed a comment in an image file. $ exiv2 -c "Messier 81 & 82" M81-82.jpg $ strings M81-82.jpg | grep Messier Messier 81 & 82 $ exiv2 -pc M81-82.jpg Messier 81 & 82 Ran gthumb and darktable under strace to show that they use the exiv2 library. Examined some camera images: $ exiv2 -pe image1.jpeg Exif.Image.Orientation Short 1 6 Exif.Image.XResolution Rational 1 72/1 Exif.Image.YResolution Rational 1 72/1 [...] Exif.Image.ExifTag Long 1 102 Exif.Photo.ExifVersion Undefined 4 48 50 50 49 Exif.Photo.ComponentsConfiguration Undefined 4 1 2 3 0 Exif.Photo.FlashpixVersion Undefined 4 48 49 48 48 Exif.Photo.ColorSpace Short 1 1 [...] Exif.Thumbnail.JPEGInterchangeFormat Long 1 286 Exif.Thumbnail.JPEGInterchangeFormatLength Long 1 11103 $ exiv2 -K Exif.Photo.ColorSpace image2.jpg Exif.Photo.ColorSpace Short 1 sRGB Looks good for mga7. Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK Thank you, Len. Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Thomas Backlund
2021-06-08 17:25:34 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0240.html Status:
ASSIGNED =>
RESOLVED |