Bug 1961691 (CVE-2021-32617)

Summary: CVE-2021-32617 exiv2: DoS due to quadratic complexity in ProcessUTF8Portion
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgrulich, manisandro, michel, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: exiv2 0.27.4 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in the xmpsdk component shipped with exiv2. An attacker who is able to submit a crafted file to be processed by an application linked with the exiv2 library could cause an excessive consumption of resources, potentially leading to denial of service. The greatest impact of this flaw is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:31:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961692, 1961693, 1964188, 1964189, 1964190    
Bug Blocks: 1961694    

Description Guilherme de Almeida Suckevicz 2021-05-18 13:57:14 UTC 
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An inefficient algorithm (quadratic complexity) was found in Exiv2 versions v0.27.3 and earlier. The inefficient algorithm is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `rm`.

Reference:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj

Upstream patch:
https://github.com/Exiv2/exiv2/pull/1657
Comment 1 Guilherme de Almeida Suckevicz 2021-05-18 13:58:05 UTC 
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961692]


Created mingw-exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961693]
Comment 3 errata-xmlrpc 2021-11-09 17:34:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173