A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata. https://github.com/Exiv2/exiv2/issues/1529
Created exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1990328] Created mingw-exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1990329]
ASAN report on debug build on tag: v0.27.3: ==536198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d0 at pc 0x7ffff6f812b6 bp 0x7fffffff9b30 sp 0x7fffffff9b28 WRITE of size 8 at 0x6020000000d0 thread T0 #0 0x7ffff6f812b5 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:784 #1 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631 #2 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155 #3 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231 #4 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172 #5 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1) #6 0x408ddd in _start (/tmp/exiv2/build-asan/bin/exiv2+0x408ddd) 0x6020000000d2 is located 0 bytes to the right of 2-byte region [0x6020000000d0,0x6020000000d2) allocated by thread T0 here: #0 0x7ffff7676cb7 in operator new[](unsigned long) (/lib64/libasan.so.6+0xaccb7) #1 0x7ffff6fe8aba in Exiv2::DataBuf::DataBuf(long) /tmp/exiv2/src/types.cpp:141 #2 0x7ffff6f81177 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:783 #3 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631 #4 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155 #5 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231 #6 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172 #7 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
Upstream patch: https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22
The vulnerable code is the following: ``` if (box.length == 1) { } DataBuf boxBuf(box.length); memcpy(boxBuf.pData_, bheaderBuf.pData_, 8); ``` If `box.length` is less than 8, the following memcpy would overwrite data on the heap, out of the buffer's bounds.
Confidentiality, Integrity and Availability set to High (C:H/I:H/A:H) because this is an heap-based buffer overflow which could be used to write data in memory and potentially execute code. Attack Complexity set to High (AC:H) considering that ASLR still needs to be bypassed and it requires another flaw or some additional effort from an attacker.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3152 https://access.redhat.com/errata/RHSA-2021:3152
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3153 https://access.redhat.com/errata/RHSA-2021:3153
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3158 https://access.redhat.com/errata/RHSA-2021:3158
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31291
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3232 https://access.redhat.com/errata/RHSA-2021:3232
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3231 https://access.redhat.com/errata/RHSA-2021:3231
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3230 https://access.redhat.com/errata/RHSA-2021:3230
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3233 https://access.redhat.com/errata/RHSA-2021:3233
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3234 https://access.redhat.com/errata/RHSA-2021:3234