Bug 1473889
| Summary: | There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | dan.cermak, henri, raphael | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-06 12:46:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1475727 | ||||||
| Attachments: |
|
||||||
Please use CVE-2017-11592 for this issue. I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/56 This has been fixed in upstream. Fixed with exiv2-0.27.0-1.el7_6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2101 |
Created attachment 1302634 [details] Triggered by "./exiv2 POC9" Description of problem: There is alloc-dealloc-mismatch in Exiv2::FileIo::seek of exiv2. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./exiv2 POC9 Steps to Reproduce: The output information is as follows: $./exiv2 POC9 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. __GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38 38 fseek.c: No such file or directory. (gdb) bt #0 __GI_fseek (fp=0x4647000000e900, offset=0, whence=1) at fseek.c:38 #1 0x00000000004c85e8 in Exiv2::FileIo::seek(long, Exiv2::BasicIo::Position) () #2 0x0000000000585750 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) () #3 0x000000000058b15c in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) () #4 0x00000000006bf786 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) () #5 0x00000000006b8eb9 in Exiv2::TiffImage::readMetadata() () #6 0x0000000000464434 in Action::Print::printSummary() () #7 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () #8 0x0000000000439762 in main () The asan debug info is as follows: ================================================================= ==63376==ERROR: AddressSanitizer: alloc-dealloc-mismatch (INVALID vs operator delete) on 0x60300000d570 #0 0x4e1c92 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e1c92) #1 0x7f0c7c7d0bda (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cbda) #2 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #3 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #4 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #5 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #6 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #7 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #8 0x7f0c7c7d0b6a (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x44cb6a) #9 0x7f0c7b54ac91 (/lib/x86_64-linux-gnu/libc.so.6+0x39c91) #10 0x7f0c7b54ace4 (/lib/x86_64-linux-gnu/libc.so.6+0x39ce4) #11 0x7f0c7b531ac6 (/lib/x86_64-linux-gnu/libc.so.6+0x20ac6) #12 0x43b288 (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288) 0x60300000d570 is located 0 bytes inside of 4293853440-byte region [0x60300000d570,0x6030ffefd670) ASAN:SIGSEGV ==63376==AddressSanitizer: while reporting a bug found another one. Ignoring. Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.