Bug 1471772
| Summary: | There is an illegal address access in basicio.cpp of exiv2. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | henri, raphael, v.owl337 | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I can confirm that this also segfaults 0.26 upstream release. Did you report this to upstream issue tracker? Please use CVE-2017-11553 for this issue. ok(In reply to Henri Salo from comment #4) > I can confirm that this also segfaults 0.26 upstream release. Did you report > this to upstream issue tracker? Could you support a issue tracker link ? Thank you. I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/54 This has been fixed in upstream. Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1299839 [details] Triggered by "./exiv2 POC7" Description of problem: There is an illegal address access in basicio.cpp of exiv2. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 $POC Steps to Reproduce: The output information is as follows: $./exiv2 POC7 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150 4150 malloc.c: No such file or directory. (gdb) bt #0 0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150 #1 0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417 #2 0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895 #3 0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976 #4 realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41 #5 0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965 #6 0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397 #7 read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319 #8 0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203 #9 0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124 #10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:722 #11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47 #12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71 #13 0x00000000005706ef in Exiv2::strError() () #14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) () #15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() () #16 0x0000000000464434 in Action::Print::printSummary() () #17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #18 0x0000000000439762 in main () icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 ASAN:SIGSEGV ================================================================= ==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0) #0 0x7efe16b0fec4 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4) #1 0x7efe16b180e0 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0) #2 0x7efe16d28900 (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900) #3 0x7efe16d205eb (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb) #4 0x518d8b (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b) #5 0x518488 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488) #6 0x4e2ebb (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb) #7 0x7efe15888abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #8 0x43b288 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288) AddressSanitizer can not provide additional info. ==47987==ABORTING Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.