Meder Kydyraliev reported an integer overflow exiv2's EXIF parsing code resulting in heap buffer oveflow. This can possibly lead to code execution as user running application using exiv2 library to extract EXIF tags from malicious image files. Upstream commit: http://dev.robotbattle.com/~cvsuser/cgi-bin/ns_viewcvs.cgi/exiv2/trunk/src/exif.cpp?rev=1346&r1=1231&r2=1346
This is (apparently, can't see it yet), the upstream issue tracker: http://dev.robotbattle.com/bugs/view.php?id=534
(In reply to comment #1) > http://dev.robotbattle.com/bugs/view.php?id=534 Yes it is. That report was first opened as public and it also contained further details about similar problems in other EXIF parsing libraries (see e.g. our bugs #425551 and #425561 for libexif).
Gentoo bug states that exiv2 did not compile because of incorrect static casts used in the upstream patch. They've added extra correction: diff -u exiv2-0.13/src/exif.cpp exiv2-0.13/src/exif.cpp --- exiv2-0.13/src/exif.cpp +++ exiv2-0.13/src/exif.cpp @@ -244,7 +244,7 @@ uint32_t size = sizes->toLong(i); lastSize = size; if ( size > 0xffffffff - offset - || static_cast(len) < offset + size) { + || static_cast<uint32_t>(len) < offset + size) { return 2; } memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size); @@ -313,7 +313,7 @@ if (length == exifData.end()) return 1; uint32_t size = length->toLong(); if ( size > 0xffffffff - offset - || static_cast(len) < offset + size) { + || static_cast<uint32_t>(len) < offset + size) { return 2; } format->setDataArea(buf + offset, size); http://bugs.gentoo.org/show_bug.cgi?id=202351
Thanks.
exiv2-0.15-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
exiv2-0.15-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.