Bug 29325 - exiv2 new security issue CVE-2021-31291
Summary: exiv2 new security issue CVE-2021-31291
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-03 04:07 CEST by David Walser
Modified: 2021-08-06 11:35 CEST (History)
4 users (show)

See Also:
Source RPM: exiv2-0.27.3-1.1.mga8.src.rpm
CVE: CVE-2021-31291
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-03 04:07:02 CEST 
Ubuntu has issued an advisory today (August 2):
https://ubuntu.com/security/notices/USN-5028-1

Mageia 8 is also affected.
David Walser 2021-08-03 04:07:18 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Nicolas Salguero 2021-08-03 09:10:22 CEST 
CVE-2021-31291 is solved in version 0.27.4 so Cauldron is not affected.
Comment 2 Nicolas Salguero 2021-08-03 09:14:19 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata. (CVE-2021-31291)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31291
https://ubuntu.com/security/notices/USN-5028-1
========================

Updated packages in core/updates_testing:
========================
exiv2-doc-0.27.3-1.2.mga8
lib(64)exiv2_27-0.27.3-1.2.mga8
exiv2-0.27.3-1.2.mga8
lib(64)exiv2-devel-0.27.3-1.2.mga8

from SRPM:
exiv2-0.27.3-1.2.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-31291
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Status comment: Patch available from Ubuntu => (none)

Comment 3 Len Lawrence 2021-08-03 13:01:52 CEST 
mga8, x64

CVE-2021-31291
https://github.com/Exiv2/exiv2/issues/1529
Obtained the release resources and had a go at building the ASAN version but ran into errors.  Got as far as
"gmake: warning:  Clock skew detected.  Your build may be incomplete."
Out of my depth.  Not really a path for QA to tread.

Ran test from an earlier bug.
$ exiv2 -c "Orange smog here" PIA19642Titan.jpg
$ exiv2 -pc PIA19642Titan.jpg
"Orange smog here"

Updated the packages.

$ exiv2 -c "Good morning QA" Mimas_Cassini.jpg
$ strings Mimas_Cassini.jpg | grep morning
Good morning QA
$ strace -o thumb.trace gthumb .
lcl@canopus:saturn $ grep exiv2 thumb.trace
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 26
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 25
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 25
stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=156248, ...}) = 0
openat(AT_FDCWD, "/usr/share/gthumb/ui/edit-exiv2-page.ui", O_RDONLY) = 29

$ strace -o dark.trace darktable
$ grep exiv2 dark.trace
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3

That all looks satisfactory.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2021-08-06 03:07:16 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-08-06 11:00:03 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-08-06 11:35:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0396.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.