1545232 – (CVE-2017-17725) CVE-2017-17725 exiv2: heap-based buffer over-read in Exiv2::getULong function in types.cpp

Bug 1545232 (CVE-2017-17725) - CVE-2017-17725 exiv2: heap-based buffer over-read in Exiv2::getULong function in types.cpp

Summary: CVE-2017-17725 exiv2: heap-based buffer over-read in Exiv2::getULong function...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-17725
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1545233 1547130 1547207
Blocks:	1545252
TreeView+	depends on / blocked

Reported:	2018-02-14 12:48 UTC by Laura Pardo
Modified:	2021-02-17 00:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer wraparound, leading to heap-based out-of-bound read, was found in the way Exiv2 library reads ICC profiles embedded in a JP2 image. By persuading a victim to open a crafted JP2 image, a remote attacker could crash the application or possibly retrieve a portion of memory.
Clone Of:
Environment:
Last Closed:	2018-03-14 09:18:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-14 12:48:25 UTC

A flaw was found in Exiv2 0.26. There is an integer wraparound leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp, called while parsing an ICC profile. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted JP2 image file.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1525055
https://github.com/Exiv2/exiv2/issues/188

Patch:
https://github.com/Exiv2/exiv2/pull/193

Comment 1 Laura Pardo 2018-02-14 12:48:56 UTC

Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1545233]

Comment 2 Riccardo Schirone 2018-02-20 09:49:23 UTC

It is important to note that without AddressSanitizer enabled, the out of bound read in Exiv2::getULong does not have impact, since it is at most 4 bytes, however another out of bound read in Jp2Image::readMetadata function is triggered by the same public POC, which could crash the program or leak data.

Comment 5 Riccardo Schirone 2018-02-20 16:26:23 UTC

Statement:

This issue did not affect the versions of Exiv2 as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for ICC profiles.

Comment 8 Riccardo Schirone 2018-02-22 09:13:38 UTC

Introduced by:
https://github.com/Exiv2/exiv2/commit/699e1c744e50782e3ed7411cc6ac28260aa169c0

Note You need to log in before you can comment on or make changes to this bug.