A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file.
Created exiv2 tracking bugs for this issue:
Affects: fedora-all [bug 1961652]
Created mingw-exiv2 tracking bugs for this issue:
Affects: fedora-all [bug 1961651]
The isWebPType() routine in src/webpimage.cpp is called after isCr2Type(). isCr2Type() never sets the seek back to SEEK_SET. When isWebPType() runs, it assumes that the iIo seek is at SEEK_SET and attempts to read 12 bytes of data into 3 buffers: `riff`, `data`, and `webp`. The `data` buffer is not used and thus discarded, but `riff` and `webp` are used in memcmp operations. Therefore, a crafted file could trigger this code path which can read up to 12 bytes of data past the end of iIo into the stack. We've set this to severity Low since the data is not explicitly stored and passed to other areas by this function, but it may still be reachable via some other extraneous path of exploitation and it is undefined behavior to read extraneous data.
The upstream patch uses calls to readOrThrow() instead of iIo.read() because they will catch the errors and throw Exiv2::kerCorruptedMetadata, rather than ignore them and proceed on.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173