Fedora has issued an advisory today (April 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZTR7ZDRVKLKSI65QBRMJFDTW4EPRPZYH/ We fixed CVE-2018-7728 and CVE-2018-7730 already in Bug 22801. As noted in Bug 22801, we never investigated whether exiv2 is affected by these.
Another Fedora advisory from today shows even more CVEs we haven't fixed yet: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H4PKNNGR3XYNB7B7BYNWTABCOPERDDLB/
Summary: exempi new security issues CVE-2018-7729 and CVE-2018-7731 => exempi new security issues CVE-2018-7729, CVE-2018-7731, and CVE-2017-1823[3-7]
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
(In reply to David Walser from comment #0) > > As noted in Bug 22801, we never investigated whether exiv2 is affected by > these. Doesn't look like it is - or at least not because it bundles exempi. "We don't have any plan to build with exempi." http://dev.exiv2.org/boards/3/topics/2366 The developer says they use Adobe's XMPsdk. Apparently exempi is based on XMPsdk but there is no indication I can find that they suffer from the same vulnerability.
CC: (none) => mrambo
Status comment: (none) => Fixed upstream in 2.4.5
Updated package uploaded for Mageia 6. Advisory: ======================== Updated exempi package fixes security vulnerabilities: An issue was discovered in Exempi through 2.4.4. There is a stack-based buffer over-read in the PostScript_MetaHandler::ParsePSFile() function in PostScript_Handler.cpp (CVE-2018-7729). An issue was discovered in Exempi through 2.4.4. WEBP_Support.cpp does not check whether a bitstream has a NULL value, leading to a NULL pointer dereference in the WEBP::VP8XChunk class (CVE-2018-7731). An issue was discovered in Exempi before 2.4.4. Integer overflow in the Chunk class in RIFF.cpp allows remote attackers to cause a denial of service (infinite loop) via crafted XMP data in a .avi file (CVE-2017-18233). An issue was discovered in Exempi before 2.4.3. It allows remote attackers to cause a denial of service (invalid memcpy with resultant use-after-free) or possibly have unspecified other impact via a .pdf file containing JPEG data, related to ReconcileTIFF.cpp, TIFF_MemoryReader.cpp, and TIFF_Support.hpp (CVE-2017-18234). An issue was discovered in Exempi before 2.4.3. The VPXChunk class in WEBP_Support.cpp does not ensure nonzero widths and heights, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted .webp file (CVE-2017-18235). An issue was discovered in Exempi before 2.4.4. The ASF_Support::ReadHeaderObject function in ASF_Support.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted .asf file (CVE-2017-18236). An issue was discovered in Exempi before 2.4.3. The PostScript_Support::ConvertToDate function in PostScript_Support.cpp allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via a crafted .ps file (CVE-2017-18237). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZTR7ZDRVKLKSI65QBRMJFDTW4EPRPZYH/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H4PKNNGR3XYNB7B7BYNWTABCOPERDDLB/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7731 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18237 ======================== Updated packages in core/updates_testing: ======================== lib64exempi3-2.4.5-1.mga6 lib64exempi-devel-2.4.5-1.mga6 from exempi-2.4.5-1.mga6.src.rpm Testing procedure (or at least hints): https://bugs.mageia.org/show_bug.cgi?id=22801#c6
Keywords: (none) => has_procedureAssignee: pkg-bugs => qa-bugs
Looking for PoCs for this.
CC: (none) => tarazed25
Mageia 6, x86_64 Reproducers tested before updates: CVE-2018-7729 https://bugs.freedesktop.org/show_bug.cgi?id=105206 $ exempi -x exempi-PostScript_Handler-888-overflow processing file exempi-PostScript_Handler-888-overflow dump_xmp for file exempi-PostScript_Handler-888-overflow as expected. CVE-2018-7731 https://bugs.freedesktop.org/show_bug.cgi?id=105247 $ exempi -x exempi-WEBP_Support-123-SEGV processing file exempi-WEBP_Support-123-SEGV dump_xmp for file exempi-WEBP_Support-123-SEGV CVE-2017-18233 https://bugs.freedesktop.org/show_bug.cgi?id=102151 $ exempi -x inf-loop.avi processing file inf-loop.avi dump_xmp for file inf-loop.avi ^C CVE-2017-18234 https://bugs.freedesktop.org/show_bug.cgi?id=100397 $ exempi -x crash.pdf processing file crash.pdf dump_xmp for file crash.pdf Bad IFD offset <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.1.2"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=""/> </rdf:RDF> </x:xmpmeta> CVE-2017-18235 https://bugs.freedesktop.org/show_bug.cgi?id=101913 $ exempi -x assert.webp processing file assert.webp dump_xmp for file assert.webp CVE-2017-18236 https://bugs.freedesktop.org/show_bug.cgi?id=102484 $ exempi -x inf-loop.asf processing file inf-loop.asf dump_xmp for file inf-loop.asf ^C CVE-2017-18237 https://bugs.freedesktop.org/show_bug.cgi?id=101914 $ exempi -x convertodate.ps processing file convertodate.ps dump_xmp for file convertodate.ps Several of these issues are suspiciously well handled unlike the aborts and segfaults reported at source. They may have been addressed in an earlier cycle.
Created attachment 10148 [details] Reproducer tests for various CVEs after the update
'exempi -x' is used to dump an eligible file in XML. Use -o to name an output file. Following Lewis in bug 22801: eom, eog, xviewer do not seem to deal with TIFF. gqview, nomacs, display and gwenview do. $ exempi -o craters.xml -x craters.tif processing file craters.tif dump_xmp for file craters.tif $ head craters.xml <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.5.0"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/"> <tiff:ImageWidth>1638</tiff:ImageWidth> <tiff:ImageLength>1410</tiff:ImageLength> <tiff:BitsPerSample> <rdf:Seq> <rdf:li>8</rdf:li> $ exempi -o temp.xml -x ~/tmp/abc-0.ps processing file /home/lcl/tmp/abc-0.ps dump_xmp for file /home/lcl/tmp/abc-0.ps $ cat temp.xml <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.5.0"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/"> <xmp:CreatorTool>Tk Canvas Widget</xmp:CreatorTool> <xmp:CreateDate>2018-05-02T16:07:40Z</xmp:CreateDate> <dc:creator> <rdf:Seq> <rdf:li>Len Lawrence</rdf:li> $ exempi -o referendum.xml -x 'Referendum doc_01.pdf' processing file Referendum doc_01.pdf dump_xmp for file Referendum doc_01.pdf $ head referendum.xml <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Exempi + XMP Core 5.5.0"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:pdf="http://ns.adobe.com/pdf/1.3/"> <xmp:CreateDate>2014-06-19T14:43:34+01:00</xmp:CreateDate> OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0239.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2017-18238: https://usn.ubuntu.com/3668-1/