Ubuntu has issued advisories on May 10 and May 25: https://ubuntu.com/security/notices/USN-4941-1 https://ubuntu.com/security/notices/USN-4964-1 The issues are fixed upstream in 0.27.4. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 0.27.4CC: (none) => nicolas.salguero
Summary: exiv2 new security issues => exiv2 new security issues CVE-2021-3482, CVE-2021-2945[78], CVE-2021-2946[34], CVE-2021-2947[03], CVE-2021-29623, CVE-2021-32617
Fedora has issued an advisory for some of these issues on May 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/
Fedora has issued an advisory for the last two issues today (May 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482) Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29457) Out-of-bounds read in Exiv2::Internal::CrwMap::encode. (CVE-2021-29458) Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. (CVE-2021-29463) Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2021-29464) Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header. (CVE-2021-29470) Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata. (CVE-2021-29473) Read of uninitialized memory may lead to information leak. (CVE-2021-29623) DoS due to quadratic complexity in ProcessUTF8Portion. (CVE-2021-32617) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32617 https://ubuntu.com/security/notices/USN-4941-1 https://ubuntu.com/security/notices/USN-4964-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XQT5F5IINTDYDAFGVGQZ7PMMLG7I5ZZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5I3RRZUGSBIUYZ5TIHLN55PKMAWCSJ5G/ ======================== Updated packages in 7/core/updates_testing: ======================== exiv2-0.27.1-3.5.mga7 lib(64)exiv2_27-0.27.1-3.5.mga7 lib(64)exiv2-devel-0.27.1-3.5.mga7 exiv2-doc-0.27.1-3.5.mga7 from SRPM: exiv2-0.27.1-3.5.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== exiv2-0.27.3-1.1.mga8 lib(64)exiv2_27-0.27.3-1.1.mga8 lib(64)exiv2-devel-0.27.3-1.1.mga8 exiv2-doc-0.27.3-1.1.mga8 from SRPM: exiv2-0.27.3-1.1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Fixed upstream in 0.27.4 => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8Assignee: bugsquad => qa-bugs
mga8, x64 CVE-2021-3482 https://github.com/Exiv2/exiv2/issues/1522 $ exiv2 poc.jpg File name : poc.jpg File size : 268 Bytes MIME type : image/jp2 Image size : 0 x 0 poc.jpg: No Exif data found in the file Not obvious if this is an effective PoC. Maybe fixed already. CVE-2021-29457 https://github.com/Exiv2/exiv2/issues/1529 The PoC comes as two files poc and poc.exv. The actual names need to be shortened for legibility. $ exiv2 in tests_29457 Segmentation fault (core dumped) CVE-2021-29458 https://github.com/Exiv2/exiv2/issues/1530 $ exiv2 in tests_29458 Segmentation fault (core dumped) CVE-2021-294{58,63,64} no PoC found CVE-2021-294{70,73} regression tests mentioned, no explicit instructions CVE-2021-29623 No PoC CVE-2021-32617 PoC involves a large invalid file, not tested upstream Updated the four packages. Ran the available PoC. The first one, for CVE-2021-3482, returned the same output as before. $ exiv2 in tests_29457 tests_29457: Could not write metadata to file: corrupted image metadata $ exiv2 in tests_29458 tests_29458: Could not write metadata to file: corrupted image metadata Good results for those two. Place a comment in an image file. $ exiv2 -c "Orange smog here" PIA19642Titan.jpg $ strings PIA19642Titan.jpg | grep smog Orange smog here $ exiv2 -pc PIA19642Titan.jpg Orange smog here Ran a couple of applications which use libexiv2. $ strace -o thumb.trace gthumb . $ grep exiv2 thumb.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 25 stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=156248, ...}) = 0 $ strace -o dark.trace darktable $ grep exiv2 dark.trace openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3 Giving this an OK.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
mga7, x86_64 Tested the PoC using the files from the mga8 tests. CVE-2021-3482 $ exiv2 poc.jpg [...] poc.jpg: No Exif data found in the file CVE-2021-29457 $ exiv2 in tests_29457 Segmentation fault (core dumped) CVE-2021-29458 $ exiv2 in tests_29458 $ This segfaults upstream. Updated the packages. PoC tests: Same output for CVE-2021-3482. $ exiv2 in tests_29457 tests_29457: Could not write metadata to file: corrupted image metadata <good result> $ exiv2 in tests_29458 $ <This one is equivocal - maybe fixed already - ?> Probably not worth pursuing this given that mga7 is close to EOS. Placed a comment in an image file. $ exiv2 -c "Messier 81 & 82" M81-82.jpg $ strings M81-82.jpg | grep Messier Messier 81 & 82 $ exiv2 -pc M81-82.jpg Messier 81 & 82 Ran gthumb and darktable under strace to show that they use the exiv2 library. Examined some camera images: $ exiv2 -pe image1.jpeg Exif.Image.Orientation Short 1 6 Exif.Image.XResolution Rational 1 72/1 Exif.Image.YResolution Rational 1 72/1 [...] Exif.Image.ExifTag Long 1 102 Exif.Photo.ExifVersion Undefined 4 48 50 50 49 Exif.Photo.ComponentsConfiguration Undefined 4 1 2 3 0 Exif.Photo.FlashpixVersion Undefined 4 48 49 48 48 Exif.Photo.ColorSpace Short 1 1 [...] Exif.Thumbnail.JPEGInterchangeFormat Long 1 286 Exif.Thumbnail.JPEGInterchangeFormatLength Long 1 11103 $ exiv2 -K Exif.Photo.ColorSpace image2.jpg Exif.Photo.ColorSpace Short 1 sRGB Looks good for mga7.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Thank you, Len. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0240.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED