Bug 21158 - gwenview crashes since it was rebuild against latest libexiv
Summary: gwenview crashes since it was rebuild against latest libexiv
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: x86_64 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks: 21922
  Show dependency treegraph
Reported: 2017-06-27 21:08 CEST by José Jorge
Modified: 2017-10-30 20:24 CET (History)
5 users (show)

See Also:
Source RPM: exiv2-0.26-2.mga6.src.rpm
Status comment:

Testcase of pentax EXIF that crashes gwenview (292.87 KB, image/jpeg)
2017-08-28 09:59 CEST, José Jorge
Patch fixes exiv2 segfault on images from pentax cameras (595 bytes, patch)
2017-10-25 13:11 CEST, Mike Rambo
Details | Diff

Description José Jorge 2017-06-27 21:08:21 CEST
Description of problem:
It simply crashes on folders with jpg images containing exif data.

Version-Release number of selected component (if applicable):

How reproducible:
Always, into a new images folder (it does not crash on older folders in my system)

Steps to Reproduce:
1.open gwenview
2.browse to an images folder
Comment 1 José Jorge 2017-06-27 21:11:27 CEST
(gdb) backtrace
#0  0x00007ffff27edeef in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /lib64/libexiv2.so.26
#1  0x00007ffff2832af1 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) ()
   from /lib64/libexiv2.so.26
#2  0x00007ffff76d5870 in Exiv2::operator<< (md=..., os=...) at /usr/include/exiv2/metadatum.hpp:305
#3  Gwenview::ImageMetaInfoModelPrivate::fillExivGroup<Exiv2::ExifData, std::_List_const_iterator<Exiv2::Exifdatum> > (this=0xd77140, parent=..., 
    group=group@entry=0xd230f0, container=...) at /usr/src/debug/gwenview-16.12.3/lib/imagemetainfomodel.cpp:276
#4  0x00007ffff76d2933 in Gwenview::ImageMetaInfoModel::setExiv2Image (this=<optimized out>, image=0x7fffcc003580)
    at /usr/src/debug/gwenview-16.12.3/lib/imagemetainfomodel.cpp:372
#5  0x00007ffff7694e15 in Gwenview::Document::setExiv2Image (this=0xd87b80, image=...) at /usr/src/debug/gwenview-16.12.3/lib/document/document.cpp:395
#6  0x00007ffff7693fd4 in Gwenview::AbstractDocumentImpl::setDocumentExiv2Image (this=this@entry=0xd87f40, image=...)
    at /usr/src/debug/gwenview-16.12.3/lib/document/abstractdocumentimpl.cpp:82
#7  0x00007ffff76a12fa in Gwenview::LoadingDocumentImpl::slotMetaInfoLoaded (this=0xd87f40)
    at /usr/src/debug/gwenview-16.12.3/lib/document/loadingdocumentimpl.cpp:491
#8  0x00007ffff380e849 in QMetaObject::activate(QObject*, int, int, void**) () from /lib64/libQt5Core.so.5
#9  0x00007ffff3617c21 in QFutureWatcherBase::event(QEvent*) () from /lib64/libQt5Core.so.5
#10 0x00007ffff4ad9d0c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /lib64/libQt5Widgets.so.5
#11 0x00007ffff4adee76 in QApplication::notify(QObject*, QEvent*) () from /lib64/libQt5Widgets.so.5
#12 0x00007ffff37e3618 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /lib64/libQt5Core.so.5
#13 0x00007ffff37e543b in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /lib64/libQt5Core.so.5
#14 0x00007ffff38359e3 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) () from /lib64/libQt5Core.so.5
#15 0x00007fffedb89ac7 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#16 0x00007fffedb89cf8 in g_main_context_iterate.isra () from /lib64/libglib-2.0.so.0
#17 0x00007fffedb89d9c in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#18 0x00007ffff3835df6 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
#19 0x00007ffff37e148a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib64/libQt5Core.so.5
#20 0x00007ffff37e97d1 in QCoreApplication::exec() () from /lib64/libQt5Core.so.5
#21 0x000000000042bc73 in main (argc=1, argv=<optimized out>) at /usr/src/debug/gwenview-16.12.3/app/main.cpp:160
José Jorge 2017-06-27 21:11:37 CEST

CC: (none) => lists.jjorge

Comment 2 David Walser 2017-07-02 16:50:10 CEST
Apparently this library is very buggy:
Comment 3 José Jorge 2017-08-28 09:58:21 CEST
I have found that the bug is only triggered with PENTAX cameras created files. I have seen it with two different models. I attach an example file that triggers the bug.
Comment 4 José Jorge 2017-08-28 09:59:03 CEST
Created attachment 9643 [details]
Testcase of pentax EXIF that crashes gwenview
Comment 5 Mike Rambo 2017-10-21 18:12:32 CEST
My wife just ran into this bug. She uses gwenview as a step in her photo processing. Her main camera is a Pentax K20D. I can thus test any potential solutions that are found.

One of my sons who knows C++ has become interested in the problem so maybe he'll find something. But in the mean time I have had to roll her back to mga5 since it does not exhibit this behavior. If upstream isn't interested in fixing this is a potential solution then to revert exiv to the version in mga5?

We noticed this opening a pentax photo from the console if it helps.

$ gwenview 2017-10-14_13-49-04a.jpg
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
KCrash: Application 'gwenview' crashing...
KCrash: Attempting to start /usr/libexec/drkonqi from kdeinit

[1]+  Stopped                 gwenview 2017-10-14_13-49-04a.jpg

CC: (none) => mrambo

Comment 6 Mike Rambo 2017-10-25 13:11:37 CEST
Created attachment 9755 [details]
Patch fixes exiv2 segfault on images from pentax cameras
Comment 7 Mike Rambo 2017-10-25 13:19:23 CEST
The problem is actually with exiv2 rather than gwenview and I found an upsteam patch which fixes the problem. I confirmed this last night on my wife's computer. Gwenview did not need to be rebuilt to implement the fix, only needed to patch the exiv2 library.

The upstream bug report is http://dev.exiv2.org/issues/1305.

Since pterjan is maintainer I'll see how he wants to handle the fix.

Source RPM: gwenview => exiv2-0.26-2.mga6.src.rpm

Comment 8 Mike Rambo 2017-10-25 14:05:07 CEST
Patched package uploaded for Mageia 6 and cauldron.


Patched exiv2 package fixes bugs:

Opening an image created on certain pentax cameras with gwenview, which uses the exiv2 library, causes gwenview to segfault. Exiv2 upstream created a patch to resolve this problem.

Updated packages in core/updates_testing:


from exiv2-0.26-2.1.mga6.src.rpm

Test procedure: use gwenview and the test image in attachment #1 [details] above to test. gwenview will segfault when opening this image with the unpatched exiv2 library. After updating the exiv2 library this should no longer occur.

Keywords: (none) => has_procedure
Assignee: kde => qa-bugs
Version: Cauldron => 6

Comment 9 David Walser 2017-10-25 17:21:38 CEST
Please add the patches to fix security Bug 21922 also.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=21922

Mike Rambo 2017-10-26 18:53:42 CEST

Blocks: (none) => 21922

Comment 10 Mike Rambo 2017-10-26 19:32:13 CEST
Patched package uploaded for Mageia 6, Mageia 5 and cauldron.


Patched exiv2 package fixes security issues and bugs:

Opening an image created on certain pentax cameras with gwenview, which uses the exiv2 library, causes gwenview to segfault. Exiv2 upstream created a patch to resolve this problem (bugfix - applies only to mga6).

The following security issues were also fixed:
*Heap overflow in Exiv2::Image::printIFDStructure (CVE-2017-11336)
*Invalid free in the Action::TaskFactory::cleanup function (CVE-2017-11337)
*Infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp (CVE-2017-11338)
*Heap-based buffer overflow in the Image::printIFDStructure function of image.cpp (CVE-2017-11339)
*Segmentation fault in the XmpParser::terminate() function(CVE-2017-11340)
*Illegal address access in the extend_alias_table function in localealias.c (CVE-2017-11553)
*Floating point exception in the Exiv2::ValueType function (CVE-2017-11591)
*Alloc-dealloc-mismatch in Exiv2::FileIo::seek (CVE-2017-11592)
*Reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp (CVE-2017-11683)
*Heap-based buffer overflow in basicio.cpp (CVE-2017-12955)
*Illegal address access in Exiv2::FileIo::path[abi:cxx11]() in basicio.cpp (CVE-2017-12956)
*Heap-based buffer over-read in the Exiv2::Image::io function in image.cpp (CVE-2017-12957)
*Bad free in Exiv2::Image::~Image (CVE-2017-14857)
*Invalid memory address dereference in Exiv2::DataValue::read (CVE-2017-14859)
*Heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (CVE-2017-14860)
*Invalid memory address dereference in Exiv2::StringValueBase::read (CVE-2017-14862)
*Invalid memory address dereference in Exiv2::getULong (CVE-2017-14864)


Updated packages in core/updates_testing:

from exiv2-0.26-2.2.mga6.src.rpm


from exiv2-0.24-5.2.mga5.src.rpm

Test procedure for the mga6 bugfix: use gwenview and the test image in attachment #1 [details] above to test. gwenview will segfault when opening this image with the unpatched exiv2 library. After updating the exiv2 library this should no longer occur.

A more general test procedure might be here: https://bugs.mageia.org/show_bug.cgi?id=17877#c1

Whiteboard: (none) => MGA5TOO

Comment 11 Herman Viaene 2017-10-27 11:26:07 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
As I more or less expected from above description, the crash did not occur in M5 with the exiv2-0.24-5.1 packages.
Anyway, installed the test packages and run gwenview thru a list of jpg, pnm, tiff and orf files, including the pentax test file, and it behaved well.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

David Walser 2017-10-27 12:48:53 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 12 Lewis Smith 2017-10-27 14:29:18 CEST
Testing M6/64
Thanks to José for the test file.
Ah. All those added CVEs lead to RedHat bugs with test files. I downloaded a *selection*.

BEFORE the update:

Gwenview does indeed crash on opening the test file.
 $ exiv2 tmp/pentax.jpg 
does not, and produces good output.

$ exiv2 POC2
Aborted (core dumped)

$ exiv2 POC3
Aborted (core dumped)

$ exiv2 POC4
Aborted (core dumped)

$ exiv2 POC5
Aborted (core dumped)

$ exiv2 POC11
invalid type value detected in Image::printIFDStructure:  17937
[repeated indefinitely]

$ exiv2 008-invalid-mem
Segmentation fault (core dumped)

$ exiv2 02-Invalid-mem-def
Segmentation fault (core dumped)

AFTER the update:

Gwenview successfully opens & displays the test image.
 $ exiv2 tmp/pentax.jpg 
produced identical output to previously.

$ exiv2 POC2
Exiv2 exception in print action for file POC2:
invalid memory allocation request

$ exiv2 POC3
Exiv2 exception in print action for file POC3:
invalid memory allocation request

$ exiv2 POC4
Exiv2 exception in print action for file POC4:
invalid memory allocation request

$ exiv2 POC5
Exiv2 exception in print action for file POC5:
invalid memory allocation request

$ exiv2 POC11
Exiv2 exception in print action for file POC11:
invalid memory allocation request

$ exiv2 008-invalid-mem
 [Lots of O/P to...]
Exiv2 exception in print action for file 008-invalid-mem:
corrupted image metadata

$ exiv2 02-Invalid-mem-def 
Exiv2 exception in print action for file 02-Invalid-mem-def:
corrupted image metadata

All these test are +ve; the update is good. Validating, advisory to do.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-10-27 14:55:22 CEST

Keywords: (none) => advisory

Comment 13 Mageia Robot 2017-10-30 20:24:09 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.