Bug 1961650 (CVE-2021-29623)

Summary: CVE-2021-29623 exiv2: Use of uninitialized memory in isWebPType() may lead to information leak
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgrulich, manisandro, michel, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: exiv2 0.27.4 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in exiv2's isWebPType() function. An attacker who submits a crafted file to be processed by an application linked with exiv2 could trigger an out-of-bounds read of unitialized memory, saving it to the stack. The great impact of this flaw is most likely to application availability with some potential impact to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:30:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1961651, 1961652, 1964182, 1964183, 1964184    
Bug Blocks: 1961653    

Description Marian Rehak 2021-05-18 12:16:23 UTC
A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file.



Upstream Patch:


Comment 1 Marian Rehak 2021-05-18 12:17:03 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961652]

Created mingw-exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961651]

Comment 2 Todd Cullum 2021-05-24 22:45:26 UTC
Flaw summary:

The isWebPType() routine in src/webpimage.cpp is called after isCr2Type(). isCr2Type() never sets the seek back to SEEK_SET. When isWebPType() runs, it assumes that the iIo seek is at SEEK_SET and attempts to read 12 bytes of data into 3 buffers: `riff`, `data`, and `webp`. The `data` buffer is not used and thus discarded, but `riff` and `webp` are used in memcmp operations. Therefore, a crafted file could trigger this code path which can read up to 12 bytes of data past the end of iIo into the stack. We've set this to severity Low since the data is not explicitly stored and passed to other areas by this function, but it may still be reachable via some other extraneous path of exploitation and it is undefined behavior to read extraneous data.

The upstream patch uses calls to readOrThrow() instead of iIo.read() because they will catch the errors and throw Exiv2::kerCorruptedMetadata, rather than ignore them and proceed on.

Comment 4 errata-xmlrpc 2021-11-09 17:34:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173