Bug 29325

Summary: exiv2 new security issue CVE-2021-31291
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: exiv2-0.27.3-1.1.mga8.src.rpm CVE: CVE-2021-31291
Status comment:

Description David Walser 2021-08-03 04:07:02 CEST 
Ubuntu has issued an advisory today (August 2):
https://ubuntu.com/security/notices/USN-5028-1

Mageia 8 is also affected.
David Walser 2021-08-03 04:07:18 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Nicolas Salguero 2021-08-03 09:10:22 CEST 
CVE-2021-31291 is solved in version 0.27.4 so Cauldron is not affected.
Comment 2 Nicolas Salguero 2021-08-03 09:14:19 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata. (CVE-2021-31291)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31291
https://ubuntu.com/security/notices/USN-5028-1
========================

Updated packages in core/updates_testing:
========================
exiv2-doc-0.27.3-1.2.mga8
lib(64)exiv2_27-0.27.3-1.2.mga8
exiv2-0.27.3-1.2.mga8
lib(64)exiv2-devel-0.27.3-1.2.mga8

from SRPM:
exiv2-0.27.3-1.2.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-31291
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Status comment: Patch available from Ubuntu => (none)

Comment 3 Len Lawrence 2021-08-03 13:01:52 CEST 
mga8, x64

CVE-2021-31291
https://github.com/Exiv2/exiv2/issues/1529
Obtained the release resources and had a go at building the ASAN version but ran into errors.  Got as far as
"gmake: warning:  Clock skew detected.  Your build may be incomplete."
Out of my depth.  Not really a path for QA to tread.

Ran test from an earlier bug.
$ exiv2 -c "Orange smog here" PIA19642Titan.jpg
$ exiv2 -pc PIA19642Titan.jpg
"Orange smog here"

Updated the packages.

$ exiv2 -c "Good morning QA" Mimas_Cassini.jpg
$ strings Mimas_Cassini.jpg | grep morning
Good morning QA
$ strace -o thumb.trace gthumb .
lcl@canopus:saturn $ grep exiv2 thumb.trace
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 26
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 25
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 25
stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=156248, ...}) = 0
openat(AT_FDCWD, "/usr/share/gthumb/ui/edit-exiv2-page.ui", O_RDONLY) = 29

$ strace -o dark.trace darktable
$ grep exiv2 dark.trace
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3

That all looks satisfactory.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2021-08-06 03:07:16 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-08-06 11:00:03 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-08-06 11:35:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0396.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED