Bug 1961650 (CVE-2021-29623)
Summary: | CVE-2021-29623 exiv2: Use of uninitialized memory in isWebPType() may lead to information leak | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jgrulich, manisandro, michel, rdieter |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | exiv2 0.27.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
There's a flaw in exiv2's isWebPType() function. An attacker who submits a crafted file to be processed by an application linked with exiv2 could trigger an out-of-bounds read of unitialized memory, saving it to the stack. The great impact of this flaw is most likely to application availability with some potential impact to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-02 23:30:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1961651, 1961652, 1964182, 1964183, 1964184 | ||
Bug Blocks: | 1961653 |
Description
Marian Rehak
2021-05-18 12:16:23 UTC
Created exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1961652] Created mingw-exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1961651] Flaw summary: The isWebPType() routine in src/webpimage.cpp is called after isCr2Type(). isCr2Type() never sets the seek back to SEEK_SET. When isWebPType() runs, it assumes that the iIo seek is at SEEK_SET and attempts to read 12 bytes of data into 3 buffers: `riff`, `data`, and `webp`. The `data` buffer is not used and thus discarded, but `riff` and `webp` are used in memcmp operations. Therefore, a crafted file could trigger this code path which can read up to 12 bytes of data past the end of iIo into the stack. We've set this to severity Low since the data is not explicitly stored and passed to other areas by this function, but it may still be reachable via some other extraneous path of exploitation and it is undefined behavior to read extraneous data. The upstream patch uses calls to readOrThrow() instead of iIo.read() because they will catch the errors and throw Exiv2::kerCorruptedMetadata, rather than ignore them and proceed on. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173 |