Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1471772

Summary: There is an illegal address access in basicio.cpp of exiv2.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: exiv2Assignee: Jan Grulich <jgrulich>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5-AltCC: henri, raphael, v.owl337
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:46:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./exiv2 POC7" none

Description owl337 2017-07-17 12:23:28 UTC 
Created attachment 1299839 [details]
Triggered by "./exiv2 POC7"

Description of problem:

There is an illegal address access in basicio.cpp of exiv2.

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./exiv2 $POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC7

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
4150	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
#1  0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417
#2  0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895
#3  0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976
#4  realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41
#5  0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965
#6  0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397
#7  read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319
#8  0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203
#9  0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", 
    domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124
#10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, 
    n=n@entry=0, category=category@entry=5) at dcigettext.c:722
#11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71
#13 0x00000000005706ef in Exiv2::strError() ()
#14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) ()
#15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() ()
#16 0x0000000000464434 in Action::Print::printSummary() ()
#17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#18 0x0000000000439762 in main ()


icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 
ASAN:SIGSEGV
=================================================================
==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0)
    #0 0x7efe16b0fec4  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4)
    #1 0x7efe16b180e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7efe16d28900  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900)
    #3 0x7efe16d205eb  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7efe15888abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

AddressSanitizer can not provide additional info.
==47987==ABORTING


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 12:52:39 UTC 
I can confirm that this also segfaults 0.26 upstream release. Did you report this to upstream issue tracker?
Comment 5 Henri Salo 2017-07-30 12:54:16 UTC 
Please use CVE-2017-11553 for this issue.
Comment 6 owl337 2017-08-15 02:39:35 UTC 
ok(In reply to Henri Salo from comment #4)
> I can confirm that this also segfaults 0.26 upstream release. Did you report
> this to upstream issue tracker?

Could you support a issue tracker link ? Thank you.
Comment 7 Raphaƫl Hertzog 2017-08-31 14:38:33 UTC 
I forwarded this report to upstream: https://github.com/Exiv2/exiv2/issues/54
Comment 8 Henri Salo 2018-10-26 09:04:30 UTC 
This has been fixed in upstream.
Comment 10 Jan Grulich 2019-01-28 16:08:23 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 14 errata-xmlrpc 2019-08-06 12:46:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101