Bug 22801 - exempi new security issues CVE-2018-7728 and CVE-2018-7730
Summary: exempi new security issues CVE-2018-7728 and CVE-2018-7730
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-18 23:24 CET by David Walser
Modified: 2018-03-26 22:22 CEST (History)
3 users (show)

See Also:
Source RPM: exempi-2.2.2-16.mga6.src.rpm
CVE: CVE-2018-7728 CVE-2018-7730
Status comment:


Attachments

Description David Walser 2018-03-18 23:24:09 CET
openSUSE has issued an advisory today (March 18):
https://lists.opensuse.org/opensuse-updates/2018-03/msg00064.html

The issues are fixed upstream in 2.4.5.

Bug 17877 says that exiv2 bundles exempi, but SUSE, RedHat, and Ubuntu haven't made mention of that times time, so I don't know whether or not it is affected.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-18 23:24:24 CET

Whiteboard: (none) => MGA6TOO

Stig-Ørjan Smelror 2018-03-19 09:12:57 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CVE: (none) => CVE-2018-7728 CVE-2018-7730
CC: (none) => smelror
Assignee: bugsquad => smelror

Comment 1 Stig-Ørjan Smelror 2018-03-19 09:13:16 CET
Cauldron updated to version 2.4.5.
Comment 2 Stig-Ørjan Smelror 2018-03-19 09:54:41 CET
Advisory
========

Exempi has been updated to fix two security issues.

CVE-2018-7728: Specially crafted TIFF images could have been used to cause a denial of service via a heap-based buffer overflow
CVE-2018-7730: Specially crafted Excel files could have been used cause a denial of service via a heap-based buffer overflow


References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7730


Files
=====

Uploaded to core/updates_testing:

lib64exempi-devel-2.2.2-16.1.mga6.x86_64.rpm
lib64exempi3-2.2.2-16.1.mga6.x86_64.rpm

from exempi-2.2.2-16.1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 3 David Walser 2018-03-19 11:47:25 CET
Stig-Ørjan, did you investigate if exiv2 is affected?
Comment 4 Herman Viaene 2018-03-22 11:33:02 CET
MGA5-32 on Dell Latitude D600 Mate
No installation issues
Found libexempi required by eom. Checked with strace that libexempi is called by eom, and could open metadata of picture correctly.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2018-03-22 20:13:02 CET
To test: M6/64

It seems as if CVE-2018-7728 has a PoC:
 https://bugs.freedesktop.org/show_bug.cgi?id=105205
also CVE-2018-7730:
 https://bugs.freedesktop.org/show_bug.cgi?id=105204
I will try these shortly, just in case they show something +ve.

Advisory done from c2 +  ref from c0.
Lewis Smith 2018-03-22 20:13:27 CET

Keywords: (none) => advisory

Comment 6 Lewis Smith 2018-03-23 10:07:49 CET
Testing M6/64

BEFORE update: lib64exempi3-2.2.2-16.mga6
Trying the PoCs.

$ exempi -x exempi-MD5-152-overflow
processing file exempi-MD5-152-overflow
dump_xmp for file exempi-MD5-152-overflow
EOF in data block

$ exempi -x exempi-PSD_Handler-166-overflow 
processing file exempi-PSD_Handler-166-overflow
dump_xmp for file exempi-PSD_Handler-166-overflow
Segmentation fault (core dumped)

AFTER update: lib64exempi3-2.2.2-16.1.mga6

 $ exempi -x exempi-MD5-152-overflow
Same output as before...

$ exempi -x exempi-PSD_Handler-166-overflow 
processing file exempi-PSD_Handler-166-overflow
dump_xmp for file exempi-PSD_Handler-166-overflow
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.1.2">
 lots of correct looking XML
</x:xmpmeta>
 which *is* proof +ve.

Trying on some TIF images,
 $ exempi -x <filename>
always output correct XML data. This does use the library:
 $ strace exempi -x start.tif 2>&1 | grep libexempi
 open("/lib64/libexempi.so.3", O_RDONLY|O_CLOEXEC) = 3

Following Herman's lead, viewers using this library are:
 eog, eom, xviewer
I installed both eog & eom, but *neither* recognised TIF files at all. I reverted the library, same result; so that was not due to the update. But what are they missing? OKing the update anyway.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-26 22:22:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.