Description of problem: It simply crashes on folders with jpg images containing exif data. Version-Release number of selected component (if applicable): gwenview-16.12.3-2.mga6 How reproducible: Always, into a new images folder (it does not crash on older folders in my system) Steps to Reproduce: 1.open gwenview 2.browse to an images folder
(gdb) backtrace #0 0x00007ffff27edeef in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /lib64/libexiv2.so.26 #1 0x00007ffff2832af1 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) () from /lib64/libexiv2.so.26 #2 0x00007ffff76d5870 in Exiv2::operator<< (md=..., os=...) at /usr/include/exiv2/metadatum.hpp:305 #3 Gwenview::ImageMetaInfoModelPrivate::fillExivGroup<Exiv2::ExifData, std::_List_const_iterator<Exiv2::Exifdatum> > (this=0xd77140, parent=..., group=group@entry=0xd230f0, container=...) at /usr/src/debug/gwenview-16.12.3/lib/imagemetainfomodel.cpp:276 #4 0x00007ffff76d2933 in Gwenview::ImageMetaInfoModel::setExiv2Image (this=<optimized out>, image=0x7fffcc003580) at /usr/src/debug/gwenview-16.12.3/lib/imagemetainfomodel.cpp:372 #5 0x00007ffff7694e15 in Gwenview::Document::setExiv2Image (this=0xd87b80, image=...) at /usr/src/debug/gwenview-16.12.3/lib/document/document.cpp:395 #6 0x00007ffff7693fd4 in Gwenview::AbstractDocumentImpl::setDocumentExiv2Image (this=this@entry=0xd87f40, image=...) at /usr/src/debug/gwenview-16.12.3/lib/document/abstractdocumentimpl.cpp:82 #7 0x00007ffff76a12fa in Gwenview::LoadingDocumentImpl::slotMetaInfoLoaded (this=0xd87f40) at /usr/src/debug/gwenview-16.12.3/lib/document/loadingdocumentimpl.cpp:491 #8 0x00007ffff380e849 in QMetaObject::activate(QObject*, int, int, void**) () from /lib64/libQt5Core.so.5 #9 0x00007ffff3617c21 in QFutureWatcherBase::event(QEvent*) () from /lib64/libQt5Core.so.5 #10 0x00007ffff4ad9d0c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQt5Widgets.so.5 #11 0x00007ffff4adee76 in QApplication::notify(QObject*, QEvent*) () from /lib64/libQt5Widgets.so.5 #12 0x00007ffff37e3618 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /lib64/libQt5Core.so.5 #13 0x00007ffff37e543b in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /lib64/libQt5Core.so.5 #14 0x00007ffff38359e3 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) () from /lib64/libQt5Core.so.5 #15 0x00007fffedb89ac7 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #16 0x00007fffedb89cf8 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0 #17 0x00007fffedb89d9c in g_main_context_iteration () from /lib64/libglib-2.0.so.0 #18 0x00007ffff3835df6 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5 #19 0x00007ffff37e148a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5 #20 0x00007ffff37e97d1 in QCoreApplication::exec() () from /lib64/libQt5Core.so.5 #21 0x000000000042bc73 in main (argc=1, argv=<optimized out>) at /usr/src/debug/gwenview-16.12.3/app/main.cpp:160
CC: (none) => lists.jjorge
Apparently this library is very buggy: http://openwall.com/lists/oss-security/2017/06/30/1
I have found that the bug is only triggered with PENTAX cameras created files. I have seen it with two different models. I attach an example file that triggers the bug.
Created attachment 9643 [details] Testcase of pentax EXIF that crashes gwenview
My wife just ran into this bug. She uses gwenview as a step in her photo processing. Her main camera is a Pentax K20D. I can thus test any potential solutions that are found. One of my sons who knows C++ has become interested in the problem so maybe he'll find something. But in the mean time I have had to roll her back to mga5 since it does not exhibit this behavior. If upstream isn't interested in fixing this is a potential solution then to revert exiv to the version in mga5? We noticed this opening a pentax photo from the console if it helps. $ gwenview 2017-10-14_13-49-04a.jpg Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it. Error: XMP Toolkit error 203: Duplicate property or field node Warning: Failed to decode XMP metadata. KCrash: Application 'gwenview' crashing... KCrash: Attempting to start /usr/libexec/drkonqi from kdeinit sock_file=/run/user/1000/kdeinit5__0 [1]+ Stopped gwenview 2017-10-14_13-49-04a.jpg
CC: (none) => mrambo
Created attachment 9755 [details] Patch fixes exiv2 segfault on images from pentax cameras
The problem is actually with exiv2 rather than gwenview and I found an upsteam patch which fixes the problem. I confirmed this last night on my wife's computer. Gwenview did not need to be rebuilt to implement the fix, only needed to patch the exiv2 library. The upstream bug report is http://dev.exiv2.org/issues/1305. Since pterjan is maintainer I'll see how he wants to handle the fix.
Source RPM: gwenview => exiv2-0.26-2.mga6.src.rpm
Patched package uploaded for Mageia 6 and cauldron. Advisory: ======================== Patched exiv2 package fixes bugs: Opening an image created on certain pentax cameras with gwenview, which uses the exiv2 library, causes gwenview to segfault. Exiv2 upstream created a patch to resolve this problem. Updated packages in core/updates_testing: ======================== exiv2-0.26-2.1.mga6 lib[64]exiv2_26-0.26-2.1.mga6 lib[64]exiv2-devel-0.26-2.1.mga6 exiv2-doc-0.26-2.1.mga6.noarch.rpm from exiv2-0.26-2.1.mga6.src.rpm Test procedure: use gwenview and the test image in attachment #1 [details] above to test. gwenview will segfault when opening this image with the unpatched exiv2 library. After updating the exiv2 library this should no longer occur.
Keywords: (none) => has_procedureAssignee: kde => qa-bugsVersion: Cauldron => 6
Please add the patches to fix security Bug 21922 also.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21922
Blocks: (none) => 21922
Patched package uploaded for Mageia 6, Mageia 5 and cauldron. Advisory: ======================== Patched exiv2 package fixes security issues and bugs: Opening an image created on certain pentax cameras with gwenview, which uses the exiv2 library, causes gwenview to segfault. Exiv2 upstream created a patch to resolve this problem (bugfix - applies only to mga6). The following security issues were also fixed: *Heap overflow in Exiv2::Image::printIFDStructure (CVE-2017-11336) *Invalid free in the Action::TaskFactory::cleanup function (CVE-2017-11337) *Infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp (CVE-2017-11338) *Heap-based buffer overflow in the Image::printIFDStructure function of image.cpp (CVE-2017-11339) *Segmentation fault in the XmpParser::terminate() function(CVE-2017-11340) *Illegal address access in the extend_alias_table function in localealias.c (CVE-2017-11553) *Floating point exception in the Exiv2::ValueType function (CVE-2017-11591) *Alloc-dealloc-mismatch in Exiv2::FileIo::seek (CVE-2017-11592) *Reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp (CVE-2017-11683) *Heap-based buffer overflow in basicio.cpp (CVE-2017-12955) *Illegal address access in Exiv2::FileIo::path[abi:cxx11]() in basicio.cpp (CVE-2017-12956) *Heap-based buffer over-read in the Exiv2::Image::io function in image.cpp (CVE-2017-12957) *Bad free in Exiv2::Image::~Image (CVE-2017-14857) *Invalid memory address dereference in Exiv2::DataValue::read (CVE-2017-14859) *Heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (CVE-2017-14860) *Invalid memory address dereference in Exiv2::StringValueBase::read (CVE-2017-14862) *Invalid memory address dereference in Exiv2::getULong (CVE-2017-14864) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11337 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11338 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11339 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11340 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11591 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12955 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12956 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 https://bugs.mageia.org/show_bug.cgi?id=21158 https://bugs.mageia.org/show_bug.cgi?id=21922 ======================== Updated packages in core/updates_testing: ======================== exiv2-0.26-2.2.mga6 lib[64]exiv2_26-0.26-2.2.mga6 lib[64]exiv2-devel-0.26-2.2.mga6 exiv2-doc-0.26-2.2.mga6.noarch.rpm from exiv2-0.26-2.2.mga6.src.rpm exiv2-0.24-5.2.mga5 lib[64]exiv2_13-0.24-5.2.mga5 lib[64]exiv2-devel-0.24-5.2.mga5 exiv2-doc-0.24-5.2.mga5.noarch.rpm from exiv2-0.24-5.2.mga5.src.rpm Test procedure for the mga6 bugfix: use gwenview and the test image in attachment #1 [details] above to test. gwenview will segfault when opening this image with the unpatched exiv2 library. After updating the exiv2 library this should no longer occur. A more general test procedure might be here: https://bugs.mageia.org/show_bug.cgi?id=17877#c1
Whiteboard: (none) => MGA5TOO
MGA5-32 on Asus A6000VM Xfce No installation issues As I more or less expected from above description, the crash did not occur in M5 with the exiv2-0.24-5.1 packages. Anyway, installed the test packages and run gwenview thru a list of jpg, pnm, tiff and orf files, including the pentax test file, and it behaved well.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
QA Contact: (none) => securityComponent: RPM Packages => Security
Testing M6/64 Thanks to José for the test file. Ah. All those added CVEs lead to RedHat bugs with test files. I downloaded a *selection*. BEFORE the update: exiv2-0.26-2.mga6 lib64exiv2_26-0.26-2.mga6 Gwenview does indeed crash on opening the test file. $ exiv2 tmp/pentax.jpg does not, and produces good output. $ exiv2 POC2 ... Aborted (core dumped) $ exiv2 POC3 ... Aborted (core dumped) $ exiv2 POC4 ... Aborted (core dumped) $ exiv2 POC5 ... Aborted (core dumped) $ exiv2 POC11 invalid type value detected in Image::printIFDStructure: 17937 [repeated indefinitely] ^C $ exiv2 008-invalid-mem ... Segmentation fault (core dumped) $ exiv2 02-Invalid-mem-def Segmentation fault (core dumped) ------------------------------------ AFTER the update: exiv2-0.26-2.2.mga6 lib64exiv2_26-0.26-2.2.mga6 Gwenview successfully opens & displays the test image. $ exiv2 tmp/pentax.jpg produced identical output to previously. $ exiv2 POC2 Exiv2 exception in print action for file POC2: invalid memory allocation request $ exiv2 POC3 Exiv2 exception in print action for file POC3: invalid memory allocation request $ exiv2 POC4 RW2 IMAGE Exiv2 exception in print action for file POC4: invalid memory allocation request $ exiv2 POC5 ORF IMAGE Exiv2 exception in print action for file POC5: invalid memory allocation request $ exiv2 POC11 ORF IMAGE Exiv2 exception in print action for file POC11: invalid memory allocation request $ exiv2 008-invalid-mem [Lots of O/P to...] Exiv2 exception in print action for file 008-invalid-mem: corrupted image metadata $ exiv2 02-Invalid-mem-def Exiv2 exception in print action for file 02-Invalid-mem-def: corrupted image metadata All these test are +ve; the update is good. Validating, advisory to do.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0391.html
Status: NEW => RESOLVEDResolution: (none) => FIXED