This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1470950 - There is a Segmentation fault in the software exiv2 while the function Exiv2::XmpParser::terminate() is finished.
There is a Segmentation fault in the software exiv2 while the function Exiv2...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Security
Depends On:
Blocks: CVE-2017-11340
  Show dependency treegraph
 
Reported: 2017-07-14 02:30 EDT by owl337
Modified: 2017-10-01 18:41 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (122 bytes, application/x-rar)
2017-07-14 02:30 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-14 02:30:42 EDT
Created attachment 1298135 [details]
Triggered by  "./exiv2 $POC"

Description of problem:

There is a Segmentation fault in the software exiv2 while the function  Exiv2::XmpParser::terminate() is finished.

Version-Release number of selected component (if applicable):

<= latest version


How reproducible:

./exiv2 $POC

Steps to Reproduce:



The output information is as follows:

$./exiv2 POC6
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 

Segmentation fault


GDB debugging information is as follows:
(gdb) set args POC6
(gdb) r
 ...
Continuing.
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 


Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:176
176	    Exiv2::XmpParser::terminate();
(gdb) n
155	    Action::Task::AutoPtr task
(gdb) n
180	} // main
(gdb) 

Breakpoint 2, __libc_start_main (main=0x4e24c0 <main(int, char* const*)>, argc=2, argv=0x7fffffffe598, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588) at libc-start.c:323
323	libc-start.c: No such file or directory.
(gdb) s
__GI_exit (status=0) at exit.c:104
104	exit.c: No such file or directory.
(gdb) n
103	in exit.c
(gdb) 
104	in exit.c
(gdb) 

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

This vulnerability was triggered after the function __GI_exit (status=0)  exit.c:104 after function main() exit.


Actual results:


Expected results:


Additional info:
Comment 2 Adam Mariš 2017-07-24 08:42:11 EDT
Please, report this issue to upstream. Thanks!
Comment 3 Raphaël Hertzog 2017-08-31 10:30:57 EDT
I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/53

Note You need to log in before you can comment on or make changes to this bug.