Bug 1470913
| Summary: | There is an infinite loop in Exiv2::Image::printIFDStructure funtion of image.cpp in exiv2. A crafted input will lead to remote denial of service attack. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dan.cermak, raphael | ||||
| Target Milestone: | rc | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1474325 | ||||||
| Attachments: |
|
||||||
Please, report this issue to upstream. Thanks! I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/51 This has been fixed upstream (on master, backported to 0.26, backporting to 0.25 is in progress). Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1298062 [details] Triggered by "./exiv2 $POC" Description of problem: There is an infinite loop in Exiv2::Image::printIFDStructure funtion of image.cpp in exiv2. A crafted input will lead to remote denial of service attack. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 POC4 Steps to Reproduce: The output information is as follows: $./exiv2 POC4 RW2 IMAGE GDB debugging information is as follows: (gdb) set args POC4 (gdb) r ... (gdb) bt #0 Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0, bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:492 #1 0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x611000009dc0, io=..., out=..., option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518 #2 0x00007ffff724924c in Exiv2::Rw2Image::printStructure (this=<optimized out>, out=..., option=<optimized out>, depth=<optimized out>) at rw2image.cpp:115 #3 0x00007ffff724a1dc in Exiv2::Rw2Image::readMetadata (this=<optimized out>) at rw2image.cpp:134 #4 0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289 #5 0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244 #6 0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170 This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:492,which will result in a infinite loop. 348 do { 349 // Read top of directory 350 io.seek(start,BasicIo::beg); 351 io.read(dir.pData_, 2); 352 uint16_t dirLength = byteSwap2(dir,0,bSwap); 353 354 bool tooBig = dirLength > 500; 355 if ( tooBig ) throw Error(55); 356 357 if ( bFirst && bPrint ) { 359 if ( tooBig ) out << Internal::indent(depth) << "dirLength = " << dirLength << std::endl; 360 } 361 ... 491 if ( start ) { 492 io.read(dir.pData_, 4); 493 start = tooBig ? 0 : byteSwap4(dir,0,bSwap); 494 } 495 } while (start) ; Actual results: denial of service Expected results: denial of service Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.