Bug 1757909 (CVE-2019-14982) - CVE-2019-14982 exiv2: integer overflow in the WebPImage::getHeaderOffset can lead to a out of bounds read
Summary: CVE-2019-14982 exiv2: integer overflow in the WebPImage::getHeaderOffset can ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-14982
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1775559
Blocks: 1757910
TreeView+ depends on / blocked
 
Reported: 2019-10-02 17:27 UTC by Guilherme de Almeida Suckevicz
Modified: 2019-11-22 13:45 UTC (History)
3 users (show)

Fixed In Version: exiv2 0.27.2
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read could happen when exiv2, or an application linked against the exiv2 library, is used to parse untrusted images in the WebP format. This flaw is caused by an integer wraparound in function WebPImage::getHeaderOffset, which could allow an attacker to crash the application.
Clone Of:
Environment:
Last Closed: 2019-11-22 13:04:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-02 17:27:59 UTC
In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp. It can lead to a buffer overflow vulnerability and a crash.

References:
https://github.com/Exiv2/exiv2/compare/v0.27.2-RC2...v0.27.2
https://github.com/Exiv2/exiv2/issues/960
https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62

Comment 1 Riccardo Schirone 2019-11-22 09:39:34 UTC
First vulnerable commit (present only in master branch, not in v0.27 nor in v0.26):
https://github.com/Exiv2/exiv2/commit/278a72570696f0c4793cc602691435f1ea292ae4

Upstream patch:
https://github.com/Exiv2/exiv2/commit/a51980898bc30fa7831c7eda7f19b97caa27a130

Comment 2 Riccardo Schirone 2019-11-22 09:45:31 UTC
The vulnerable commit introduces code like the following:
```
long WebPImage::getHeaderOffset(byte *data, size_t data_size, byte *header, size_t header_size) {
  long pos = -1;
  for (size_t i=0; i < data_size - header_size; i++) { [1]
    if (memcmp(header, &data[i], header_size) == 0) { [2]
```

When `data_size` is less than `header_size` there is a integer wraparound in [2] and the result is a big number. Thus when `data[i]` is access in [2], an out of bound reads happen.

The issue cannot be reproduce in v0.27 branch and in v0.26 because function WebPImage::getHeaderOffset() in src/webpimage.cpp uses `long` types for variables `data_size`, `header_size` and `i`. In case the above condition applies, the result will be a negative number which, when compared with the signed value of `i`, will just prevent the for-loop to be executed.

Comment 3 Riccardo Schirone 2019-11-22 09:46:54 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1775559]

Comment 4 Product Security DevOps Team 2019-11-22 13:04:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14982


Note You need to log in before you can comment on or make changes to this bug.