Bug 1470950 - There is a Segmentation fault in the software exiv2 while the function Exiv2::XmpParser::terminate() is finished.
Summary: There is a Segmentation fault in the software exiv2 while the function Exiv2...
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: CVE-2017-11340
TreeView+ depends on / blocked
 
Reported: 2017-07-14 06:30 UTC by owl337
Modified: 2019-04-16 12:05 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (122 bytes, application/x-rar)
2017-07-14 06:30 UTC, owl337
no flags Details

Description owl337 2017-07-14 06:30:42 UTC
Created attachment 1298135 [details]
Triggered by  "./exiv2 $POC"

Description of problem:

There is a Segmentation fault in the software exiv2 while the function  Exiv2::XmpParser::terminate() is finished.

Version-Release number of selected component (if applicable):

<= latest version


How reproducible:

./exiv2 $POC

Steps to Reproduce:



The output information is as follows:

$./exiv2 POC6
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 

Segmentation fault


GDB debugging information is as follows:
(gdb) set args POC6
(gdb) r
 ...
Continuing.
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 


Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:176
176	    Exiv2::XmpParser::terminate();
(gdb) n
155	    Action::Task::AutoPtr task
(gdb) n
180	} // main
(gdb) 

Breakpoint 2, __libc_start_main (main=0x4e24c0 <main(int, char* const*)>, argc=2, argv=0x7fffffffe598, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588) at libc-start.c:323
323	libc-start.c: No such file or directory.
(gdb) s
__GI_exit (status=0) at exit.c:104
104	exit.c: No such file or directory.
(gdb) n
103	in exit.c
(gdb) 
104	in exit.c
(gdb) 

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

This vulnerability was triggered after the function __GI_exit (status=0)  exit.c:104 after function main() exit.


Actual results:


Expected results:


Additional info:

Comment 2 Adam Mariš 2017-07-24 12:42:11 UTC
Please, report this issue to upstream. Thanks!

Comment 3 Raphaël Hertzog 2017-08-31 14:30:57 UTC
I forwarded this to the upstream developers: https://github.com/Exiv2/exiv2/issues/53

Comment 5 Jan Grulich 2019-01-28 16:08:20 UTC
Fixed with exiv2-0.27.0-1.el7_6.


Note You need to log in before you can comment on or make changes to this bug.