Bug 31074

Summary: exiv2 new security issue CVE-2022-3756
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: exiv2-0.27.3-1.4.mga8.src.rpm CVE: CVE-2022-3756
Status comment:

Description David Walser 2022-11-04 16:19:24 CET 
New CVEs were assigned for exiv2:
https://github.com/Exiv2/exiv2/issues/2406#issuecomment-1302816492

It sounds like the upstream patches are difficult to backport to 0.27.5 due to formatting changes in a previous commit, but it may be possible (or we may have to wait for a new stable release).

Mageia 8 is also affected.
David Walser 2022-11-04 16:19:59 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream

Comment 1 Lewis Smith 2022-11-06 18:59:27 CET 
This SRPM has no official maintainer, but NicolasS has nursed it for some time, so assigning to you (known territory).

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-11-07 11:21:33 CET 
Hi,

According to Debian, only CVE-2022-3756 affects stable versions.  All the other CVEs affect the code after latest version (0.27.5).

I added a patch for CVE-2022-3756 in exiv2-0.27.5-3.mga9 and exiv2-0.27.3-1.5.mga8.

Best regards,

Nico.
Comment 3 Nicolas Salguero 2022-11-07 14:00:47 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Affected is the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to integer overflow. It is possible to launch the attack remotely. (CVE-2022-3756)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3756
https://github.com/Exiv2/exiv2/issues/2406#issuecomment-1302816492
========================

Updated packages in core/updates_testing:
========================
exiv2-0.27.3-1.5.mga8
exiv2-doc-0.27.3-1.5.mga8
lib(64)exiv2_27-0.27.3-1.5.mga8
lib(64)exiv2-devel-0.27.3-1.5.mga8

from SRPM:
exiv2-0.27.3-1.5.mga8.src.rpm

Status comment: Patches available from upstream => (none)
Summary: exiv2 new security issues CVE-2022-371[7-9] and CVE-2022-375[5-7] => exiv2 new security issue CVE-2022-3756
Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-3756
Assignee: nicolas.salguero => qa-bugs
Source RPM: exiv2-0.27.5-2.mga9.src.rpm => exiv2-0.27.3-1.4.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 4 Herman Viaene 2022-11-07 16:43:43 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 29731 for test and confirmation from bug 29440 that gwenview uses this package.
$ exiv2 -c "huwelijksLode" D053.jpg
$ exiv2 -pc D053.jpg 
huwelijksLode
Checked the same folder with images with gwenview. I does access EXIF-info and reflects the change made at the CLI.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-11-10 14:29:06 CET 
Validating. Advisory in comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2022-11-11 18:23:33 CET 
Debian-LTS has issued an advisory for this on November 10:
https://www.debian.org/lts/security/2022/dla-3186
Dave Hodgins 2022-11-13 00:25:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-11-13 03:26:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0420.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED