Bug 1952612 (CVE-2021-29457)

Summary: CVE-2021-29457 exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich, michel, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: exiv2 0.27.4-RC2 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in exiv2. An attacker who is able to supply a crafted file to an application linked against exiv2 could trigger an out-of-bounds write in heap memory. The highest risk of this flaw is to application confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:30:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1952613, 1953772, 1953773    
Bug Blocks: 1949273    

Description Guilherme de Almeida Suckevicz 2021-04-22 16:42:57 UTC 
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.

References:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
https://github.com/Exiv2/exiv2/issues/1529

Upstream patch:
https://github.com/Exiv2/exiv2/pull/1534
Comment 1 Guilherme de Almeida Suckevicz 2021-04-22 16:43:14 UTC 
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1952613]
Comment 3 Todd Cullum 2021-04-26 22:12:34 UTC 
Flaw summary:

In src/jp2image.cpp in the boxes_check() routine, there was not correct checking to ensure that the box length was valid. Specifically, a box length less than 8 could be accepted, which would cause an out-of-bounds write subsequently in Exiv2::Jp2Image::doWriteMetadata(). As this value can be supplied by a crafted file, it can result in an impact to confidentiality, integrity, and availability of an application linked with exiv2.
Comment 4 Todd Cullum 2021-04-26 22:15:43 UTC 
External References:

https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
Comment 6 errata-xmlrpc 2021-11-09 17:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173