Bug 1952612 (CVE-2021-29457) - CVE-2021-29457 exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
Summary: CVE-2021-29457 exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteM...
Alias: CVE-2021-29457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1952613 1953772 1953773
Blocks: 1949273
TreeView+ depends on / blocked
Reported: 2021-04-22 16:42 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:19 UTC (History)
3 users (show)

Fixed In Version: exiv2 0.27.4-RC2
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in exiv2. An attacker who is able to supply a crafted file to an application linked against exiv2 could trigger an out-of-bounds write in heap memory. The highest risk of this flaw is to application confidentiality, integrity, and availability.
Clone Of:
Last Closed: 2021-11-02 23:30:28 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4173 0 None None None 2021-11-09 17:34:14 UTC

Description Guilherme de Almeida Suckevicz 2021-04-22 16:42:57 UTC
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-04-22 16:43:14 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1952613]

Comment 3 Todd Cullum 2021-04-26 22:12:34 UTC
Flaw summary:

In src/jp2image.cpp in the boxes_check() routine, there was not correct checking to ensure that the box length was valid. Specifically, a box length less than 8 could be accepted, which would cause an out-of-bounds write subsequently in Exiv2::Jp2Image::doWriteMetadata(). As this value can be supplied by a crafted file, it can result in an impact to confidentiality, integrity, and availability of an application linked with exiv2.

Comment 4 Todd Cullum 2021-04-26 22:15:43 UTC
External References:


Comment 6 errata-xmlrpc 2021-11-09 17:34:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173

Note You need to log in before you can comment on or make changes to this bug.