Bug 1494443 - Null pointer dereference vulnerability in Exiv2::Image::printIFDStructure (image.cpp:408)
Summary: Null pointer dereference vulnerability in Exiv2::Image::printIFDStructure (im...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-22 09:31 UTC by Liu Zhu
Modified: 2019-08-06 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
PoC File (23.97 KB, image/tiff)
2017-09-22 09:31 UTC, Liu Zhu 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:08 UTC

Description Liu Zhu 2017-09-22 09:31:08 UTC 
Created attachment 1329486 [details]
PoC File

ASAN:SIGSEGV
=================================================================
==53639==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa6170833e8 bp 0x7fff73e26870 sp 0x7fff73e263d0 T0)
    #0 0x7fa6170833e7 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:408
    #1 0x7fa6170848a3 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/fuzzing/exiv2-trunk/src/image.cpp:517
    #2 0x7fa61716a73e in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:348
    #3 0x7fa617168c06 in Exiv2::TiffImage::readMetadata() /root/fuzzing/exiv2-trunk/src/tiffimage.cpp:191
    #4 0x43ab02 in Action::Print::printSummary() /root/fuzzing/exiv2-trunk/src/actions.cpp:289
    #5 0x43a1af in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/fuzzing/exiv2-trunk/src/actions.cpp:244
    #6 0x422129 in main /root/fuzzing/exiv2-trunk/src/exiv2.cpp:170
    #7 0x7fa6163e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x421af8 in _start (/usr/local/exiv2_ASAN/bin/exiv2+0x421af8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzzing/exiv2-trunk/src/image.cpp:408 Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)
==53639==ABORTING
Comment 2 Liu Zhu 2017-09-23 05:14:02 UTC 
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.
Comment 3 Salvatore Bonaccorso 2017-09-28 11:56:28 UTC 
This was assigned CVE-2017-14863.

Can you please report the issue upstream?
Comment 4 Dan Čermák 2017-10-20 21:17:56 UTC 
The upstream issue is https://github.com/Exiv2/exiv2/issues/132. The problem has already been fixed.
Comment 6 Jan Grulich 2019-01-28 16:08:16 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 10 errata-xmlrpc 2019-08-06 12:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101
Note You need to log in before you can comment on or make changes to this bug.