Bug 1575201
Summary: | Heap Buffer Overflow in image.cpp:260 Exiv2::Image::byteSwap2 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | albertzjf | ||||||
Component: | exiv2 | Assignee: | Jan Grulich <jgrulich> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Desktop QE <desktop-qa-list> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.5-Alt | CC: | albertzjf, henri, pebarbos | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-05-29 17:51:11 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
albertzjf
2018-05-05 04:55:06 UTC
Created attachment 1433611 [details]
poc file
Could you please provide more information regarding your findings? The provided POC didn't crash here in RHEL 7. Moreover, the Exiv2::Image::byteSwap2 in /usr/lib64/libexiv2.so wasn't even called at all. [pedroysb@rhel-7 sf_rhel_shared]$ gdb /usr/bin/exiv2 pwndbg> # breakpoint at main pwndbg> b *0x406850 pwndbg> run POC ... Breakpoint *0x406850 pwndbg> b _ZN5Exiv25Image9byteSwap2ERNS_7DataBufEmb Breakpoint 2 at 0x7ffff75ce160 pwndbg> c Continuing. Error: Directory Image: IFD entry 23 lies outside of the data buffer. Error: Directory Image, entry 0x0000 has invalid size 4294967288*2; skipping entry. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 61440; setting type size 1. Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry. Warning: Directory Image, entry 0x000e has unknown Exif (TIFF) type 11267; setting type size 1. Error: Upper boundary of data for directory Image, entry 0x000e is out of bounds: Offset = 0x00000010, size = 65279, exceeds buffer size by 64999 Bytes; truncating the entry Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry Error: Directory Image, entry 0x0000 has invalid size 4278135811*1; skipping entry. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65280; setting type size 1. Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00000000; truncating the entry Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 65278; setting type size 1. Warning: Directory Image, entry 0x002c has unknown Exif (TIFF) type 0; setting type size 1. Error: Directory Image, entry 0x002c has invalid size 4278190080*1; skipping entry. Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1. Error: Directory Image, entry 0x0000 has invalid size 4278059008*1; skipping entry. File name : POC File size : 296 Bytes MIME type : image/x-olympus-orf Image size : 0 x 0 Camera make : Camera model : Image timestamp : Image number : Exposure time : Aperture : Exposure bias : Flash : Flash bias : Focal length : Subject distance: ISO speed : Exposure mode : Metering mode : Macro mode : Image quality : Exif Resolution : White balance : Thumbnail : None Copyright : Exif comment : [Inferior 1 (process 26135) exited normally] pwndbg> When I intercept the library function calls using ltrace, the byteSwap2 function doesn't appear in the logs too (see attachment). Created attachment 1441710 [details]
ltrace output
Sorry for misleading. The crash was actually triggered in Ubuntu 16.04 by this POC when we tested. When to report, I found most CVEs of exiv2 was referenced to this website, and I thought there wouldn't be much difference. Closing as NOTABUG |