Bug 1494787 - it is a stack-overflow vulnerability in Exiv2::Internal::stringFormat[abi:cxx11] ( in image.cpp:975 )
Summary: it is a stack-overflow vulnerability in Exiv2::Internal::stringFormat[abi:cxx...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-23 03:01 UTC by Liu Zhu
Modified: 2019-08-06 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:47:14 UTC
Target Upstream Version:


Attachments (Terms of Use)
PoC File (340 bytes, image/tiff)
2017-09-23 03:01 UTC, Liu Zhu
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 None None None 2019-08-06 12:47:19 UTC

Description Liu Zhu 2017-09-23 03:01:00 UTC
Created attachment 1329798 [details]
PoC File

./exiv2 009-stack-over 
ASAN:SIGSEGV
=================================================================
==65094==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe028e0e88 (pc 0x7f1dab2e2b79 bp 0x7ffe028e1740 sp 0x7ffe028e0e90 T0)
    #0 0x7f1dab2e2b78  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5fb78)
    #1 0x7f1dab2e4145 in __interceptor_vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61145)
    #2 0x7f1daab94e09 in Exiv2::Internal::stringFormat[abi:cxx11](char const*, ...) /root/fuzzing/exiv2-trunk/src/image.cpp:975
    #3 0x7f1daab8fc59 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:357
    #4 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #5 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #6 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #7 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #8 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #9 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
    #10 0x7f1daab9097c in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/fuzzing/exiv2-trunk/src/image.cpp:445
.....
.....
.....
.....
SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==65094==ABORTING

Comment 2 Liu Zhu 2017-09-23 05:16:00 UTC
./exiv2 -V
exiv2 0.26 001a00 (64 bit build)
Copyright (C) 2004-2017 Andreas Huggel.

Comment 3 Salvatore Bonaccorso 2017-09-28 11:54:45 UTC
This was assigned CVE-2017-14861.

Can you please report the issue upstream?

Comment 4 Raphaël Hertzog 2017-10-25 09:17:28 UTC
Upstream report is here: https://github.com/Exiv2/exiv2/issues/139

Comment 6 Jan Grulich 2019-01-28 16:08:20 UTC
Fixed with exiv2-0.27.0-1.el7_6.

Comment 10 errata-xmlrpc 2019-08-06 12:47:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101


Note You need to log in before you can comment on or make changes to this bug.