Ubuntu has issued an advisory on July 15: https://usn.ubuntu.com/4056-1/ Mageia 6 and Mageia 7 are also affected.
Blocks: (none) => 22075
Mageia 6 in Bug 22075.
Whiteboard: (none) => MGA7TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
CC: (none) => geiger.david68210, marja11, mramboAssignee: bugsquad => pkg-bugs
See Bug 22075 for some additional issues.
Ubuntu has issued an advisory on October 21: https://usn.ubuntu.com/4159-1/
Summary: exiv2 new security issues CVE-2019-1311[0234] => exiv2 new security issues CVE-2019-1311[0234] and CVE-2019-17402
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file. (CVE-2019-13110) A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file. (CVE-2019-13112) Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file. (CVE-2019-13113) http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character. (CVE-2019-13114) Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. (CVE-2019-17402) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13110 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13112 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13113 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13114 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17402 https://usn.ubuntu.com/4056-1/ https://usn.ubuntu.com/4159-1/ ======================== Updated packages in core/updates_testing: ======================== exiv2-0.27.1-3.1.mga7 lib(64)exiv2_27-0.27.1-3.1.mga7 lib(64)exiv2-devel-0.27.1-3.1.mga7 exiv2-doc-0.27.1-3.1.mga7 from SRPMS: exiv2-0.27.1-3.1.mga7.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA7TOO => (none)CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 21158 for inspiration. Used gwenview to view different file types: exr, tiff, jpg, ORF, ppm, bmp. All display OK. Used exiv2 command on same files, all produce sensible output like: $ exiv2 P7212389.ORF File name : P7212389.ORF File size : 14127616 Bytes MIME type : image/x-olympus-orf Image size : 3360 x 2504 Camera make : OLYMPUS IMAGING CORP. Camera model : E-500 Image timestamp : 2012:07:21 14:41:03 Image number : Exposure time : 1/60 s Aperture : F5 Exposure bias : 0 EV Flash : Yes, compulsory Flash bias : Focal length : 34.0 mm Subject distance: ISO speed : 200 Exposure mode : Aperture priority Metering mode : Spot Macro mode : Off Image quality : (4) Exif Resolution : 3360 x 2504 White balance : Manual Thumbnail : image/jpeg, 11065 Bytes Copyright : Exif comment : Good to go for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Fedora has issued an advisory on August 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FGBT5OD2TF4AIXJUC56WOUJRHAZLZ4DC/ Nicolas, is it too late to include fixes for CVE-2019-1310[89] and CVE-2019-13114?
(In reply to David Walser from comment #7) > Fedora has issued an advisory on August 9: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/FGBT5OD2TF4AIXJUC56WOUJRHAZLZ4DC/ > > Nicolas, is it too late to include fixes for CVE-2019-1310[89] and > CVE-2019-13114? The fix for CVE-2019-13114 is already in exiv2-0.27.1-3.1.mga7. exiv2-0.27.1-3.2.mga7 will include fixes for CVE-2019-1310[89].
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset. (CVE-2019-13108) An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength - iccOffset subtraction. (CVE-2019-13109) A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file. (CVE-2019-13110) A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file. (CVE-2019-13112) Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file. (CVE-2019-13113) http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character. (CVE-2019-13114) Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. (CVE-2019-17402) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13110 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13112 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13113 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13114 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17402 https://usn.ubuntu.com/4056-1/ https://usn.ubuntu.com/4159-1/ ======================== Updated packages in core/updates_testing: ======================== exiv2-0.27.1-3.2.mga7 lib(64)exiv2_27-0.27.1-3.2.mga7 lib(64)exiv2-devel-0.27.1-3.2.mga7 exiv2-doc-0.27.1-3.2.mga7 from SRPMS: exiv2-0.27.1-3.2.mga7.src.rpm
Summary: exiv2 new security issues CVE-2019-1311[0234] and CVE-2019-17402 => exiv2 new security issues CVE-2019-1310[89], CVE-2019-1311[0234] and CVE-2019-17402Whiteboard: MGA7-64-OK => (none)
Having a look at this for x86_64. At least one PoC to follow up. Later.
CC: (none) => tarazed25
*Before update* CVE-2019-13108 https://github.com/Exiv2/exiv2/issues/789 $ exiv2 56672050-a24f6b80-66ad-11e9-86d9-f0af10b008c9.png Segmentation fault (core dumped) CVE-2019-13109 https://github.com/Exiv2/exiv2/issues/790 $ ulimit -v 8000000 $ exiv2 56672813-fb6bcf00-66ae-11e9-9f14-6af4a90257c0.png Uncaught exception: std::bad_alloc CVE-2019-13110 https://github.com/Exiv2/exiv2/issues/843 $ exiv2 57623256-52b2e000-7587-11e9-9696-70483a645830.jpg Segmentation fault (core dumped) CVE-2019-13112 https://github.com/Exiv2/exiv2/issues/845 $ exiv2 57626292-7e38c900-758d-11e9-99aa-85d538eea630.png Uncaught exception: std::bad_alloc CVE-2019-13113 https://github.com/Exiv2/exiv2/issues/841 $ exiv2 57619635-45452800-757e-11e9-8496-9e198b7f53f4.jpg File name : 57619635-45452800-757e-11e9-8496-9e198b7f53f4.jpg File size : 10078 Bytes ... <This looks as if it has been fixed already.> CVE-2019-13114 https://github.com/Exiv2/exiv2/issues/793 The test file is blank. $ sudo urpmi netcat <terminal 1 - start fake webserver> $ cat response1.txt | sudo nc -l -p 80 <terminal 2 - try to connect> $ exiv2 http://127.0.0.1/test.jpg Segmentation fault (core dumped) CVE-2019-17402 https://github.com/Exiv2/exiv2/issues/1019 $ unzip POC-file.zip $ exiv2 -pv POC-file Exiv2 exception in print action for file POC-file: corrupted image metadata Updated the packages. *After update* CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13113 $ exiv2 <POC file> Exiv2 exception in print action for file <POC file>: corrupted image metadata Note that the CVE-2019-13113 issue 841 was not caught before the update but has been detected afterwards. CVE-2019-13114 https://github.com/Exiv2/exiv2/issues/793 The test file is blank. $ sudo urpmi netcat <terminal 1 - start fake webserver> $ cat response1.txt | sudo nc -l -p 80 <terminal 2 - try to connect> $ exiv2 http://127.0.0.1/test.jpg Segmentation fault (core dumped) CVE-2019-17402 https://github.com/Exiv2/exiv2/issues/1019 $ unzip POC-file.zip $ exiv2 -pv POC-file Exiv2 exception in print action for file POC-file: corrupted image metadata CVE-2019-13114 Started dummy server. $ exiv2 http://127.0.0.1/test.jpg wsa_error = 11,n = 1,sleep_ = 1000 status = 0: Resource temporarily unavailable Exiv2 exception in print action for file http://127.0.0.1/test.jpg: tiff directory length is too large The server responded with: HEAD /test.jpg HTTP/1.0 User-Agent: exiv2http/1.0.0 Accept: */* Host: 127.0.0.1 No segfault. CVE-2019-17402 $ exiv2 -pv POC-file Exiv2 exception in print action for file POC-file: Offset out of range All these PoC results look good after the update. Following Herman's lead, checked gwenview with various image formats including Kodak RAW. All displayed correctly. Used default print option to examine metadata in various files. $ exiv2 -ps jessica_dither.tif File name : jessica_dither.tif File size : 35047 Bytes MIME type : image/tiff Image size : 600 x 447 [...] $ exiv2 Glenview.png File name : Glenview.png File size : 1096045 Bytes MIME type : image/png Image size : 1459 x 1094 Glenview.png: No Exif data found in the file $ exiv2 IMG_0445.jpg File name : IMG_0445.jpg File size : 79305 Bytes MIME type : image/jpeg Image size : 640 x 480 Camera make : Apple Camera model : iPhone 7 [...] $ exiv2 -c "QA test" toffee.jpg $ strings toffee.jpg | grep QA QA test ... $ exiv2 -pc toffee.jpg QA test Looks OK for 64-bits.
Whiteboard: (none) => MGA7-64-OK
Apologies for the copy-paste fault for CVE-2019-13114, after update.
Validating. Advisory in Comment 9.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0415.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED