Bug 1494443

Summary: Null pointer dereference vulnerability in Exiv2::Image::printIFDStructure (image.cpp:408)
Product: Red Hat Enterprise Linux 7 Reporter: Liu Zhu <fantasy7082>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: carnil, dan.cermak
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:46:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
PoC File none

Description Liu Zhu 2017-09-22 09:31:08 UTC
Created attachment 1329486 [details]
PoC File

==53639==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa6170833e8 bp 0x7fff73e26870 sp 0x7fff73e263d0 T0)
    #0 0x7fa6170833e7 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:408
    #1 0x7fa6170848a3 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/fuzzing/exiv2-trunk/src/image.cpp:517
    #2 0x7fa61716a73e in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:348
    #3 0x7fa617168c06 in Exiv2::TiffImage::readMetadata() /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:191
    #4 0x43ab02 in Action::Print::printSummary() /root/fuzzing/exiv2-trunk/src/actions.cpp:289
    #5 0x43a1af in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/fuzzing/exiv2-trunk/src/actions.cpp:244
    #6 0x422129 in main /root/fuzzing/exiv2-trunk/src/exiv2.cpp:170
    #7 0x7fa6163e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x421af8 in _start (/usr/local/exiv2_ASAN/bin/exiv2+0x421af8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzzing/exiv2-trunk/src/image.cpp:408 Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)

Comment 2 Liu Zhu 2017-09-23 05:14:02 UTC
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.

Comment 3 Salvatore Bonaccorso 2017-09-28 11:56:28 UTC
This was assigned CVE-2017-14863.

Can you please report the issue upstream?

Comment 4 Dan Čermák 2017-10-20 21:17:56 UTC
The upstream issue is https://github.com/Exiv2/exiv2/issues/132. The problem has already been fixed.

Comment 6 Jan Grulich 2019-01-28 16:08:16 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 10 errata-xmlrpc 2019-08-06 12:46:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.