Bug 1952612 (CVE-2021-29457) - CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
Summary: CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteM...
Keywords:
Status: NEW
Alias: CVE-2021-29457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1953772 1953773 1952613
Blocks: 1949273
TreeView+ depends on / blocked
 
Reported: 2021-04-22 16:42 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-06 16:59 UTC (History)
3 users (show)

Fixed In Version: exiv2 0.27.4-RC2
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in exiv2. An attacker who is able to supply a crafted file to an application linked against exiv2 could trigger an out-of-bounds write in heap memory. The highest risk of this flaw is to application confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-22 16:42:57 UTC
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.

References:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
https://github.com/Exiv2/exiv2/issues/1529

Upstream patch:
https://github.com/Exiv2/exiv2/pull/1534

Comment 1 Guilherme de Almeida Suckevicz 2021-04-22 16:43:14 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1952613]

Comment 3 Todd Cullum 2021-04-26 22:12:34 UTC
Flaw summary:

In src/jp2image.cpp in the boxes_check() routine, there was not correct checking to ensure that the box length was valid. Specifically, a box length less than 8 could be accepted, which would cause an out-of-bounds write subsequently in Exiv2::Jp2Image::doWriteMetadata(). As this value can be supplied by a crafted file, it can result in an impact to confidentiality, integrity, and availability of an application linked with exiv2.

Comment 4 Todd Cullum 2021-04-26 22:15:43 UTC
External References:

https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm


Note You need to log in before you can comment on or make changes to this bug.