Bug 1990327 (CVE-2021-31291)
| Summary: | CVE-2021-31291 exiv2: Heap-based buffer overflow vulnerability in jp2image.cpp | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jgrulich, manisandro, michel, rdieter |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | exiv2 0.27.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in exiv2. A flawed bounds checking in the jp2Image.cpp:doWriteMetadata function leads to a heap-based buffer overflow. This flaw allows an attacker who can provide a malicious image to an application using the exiv2 library, to write data out of bounds and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-16 13:28:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1989860, 1990328, 1990329, 1990352, 1990353, 1990354, 1990355, 1990356, 1990393, 1990394, 1990395, 1990396, 1990397, 1990398, 2002976 | ||
| Bug Blocks: | 1990333 | ||
|
Description
Marian Rehak
2021-08-05 08:30:26 UTC
Created exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1990328] Created mingw-exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1990329] ASAN report on debug build on tag: v0.27.3:
==536198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d0 at pc 0x7ffff6f812b6 bp 0x7fffffff9b30 sp 0x7fffffff9b28
WRITE of size 8 at 0x6020000000d0 thread T0
#0 0x7ffff6f812b5 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:784
#1 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631
#2 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155
#3 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231
#4 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172
#5 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
#6 0x408ddd in _start (/tmp/exiv2/build-asan/bin/exiv2+0x408ddd)
0x6020000000d2 is located 0 bytes to the right of 2-byte region [0x6020000000d0,0x6020000000d2)
allocated by thread T0 here:
#0 0x7ffff7676cb7 in operator new[](unsigned long) (/lib64/libasan.so.6+0xaccb7)
#1 0x7ffff6fe8aba in Exiv2::DataBuf::DataBuf(long) /tmp/exiv2/src/types.cpp:141
#2 0x7ffff6f81177 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:783
#3 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631
#4 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155
#5 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231
#6 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172
#7 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
The vulnerable code is the following:
```
if (box.length == 1)
{
}
DataBuf boxBuf(box.length);
memcpy(boxBuf.pData_, bheaderBuf.pData_, 8);
```
If `box.length` is less than 8, the following memcpy would overwrite data on the heap, out of the buffer's bounds.
Confidentiality, Integrity and Availability set to High (C:H/I:H/A:H) because this is an heap-based buffer overflow which could be used to write data in memory and potentially execute code. Attack Complexity set to High (AC:H) considering that ASLR still needs to be bypassed and it requires another flaw or some additional effort from an attacker. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3152 https://access.redhat.com/errata/RHSA-2021:3152 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3153 https://access.redhat.com/errata/RHSA-2021:3153 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3158 https://access.redhat.com/errata/RHSA-2021:3158 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31291 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3232 https://access.redhat.com/errata/RHSA-2021:3232 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3231 https://access.redhat.com/errata/RHSA-2021:3231 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3230 https://access.redhat.com/errata/RHSA-2021:3230 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3233 https://access.redhat.com/errata/RHSA-2021:3233 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3234 https://access.redhat.com/errata/RHSA-2021:3234 |