Bug 1961650 (CVE-2021-29623) - CVE-2021-29623 exiv2: Use of uninitialized memory in isWebPType() may lead to information leak
Summary: CVE-2021-29623 exiv2: Use of uninitialized memory in isWebPType() may lead to...
Alias: CVE-2021-29623
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1961651 1961652 1964182 1964183 1964184
Blocks: 1961653
TreeView+ depends on / blocked
Reported: 2021-05-18 12:16 UTC by Marian Rehak
Modified: 2022-04-17 21:23 UTC (History)
4 users (show)

Fixed In Version: exiv2 0.27.4
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in exiv2's isWebPType() function. An attacker who submits a crafted file to be processed by an application linked with exiv2 could trigger an out-of-bounds read of unitialized memory, saving it to the stack. The great impact of this flaw is most likely to application availability with some potential impact to data confidentiality.
Clone Of:
Last Closed: 2021-11-02 23:30:42 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4173 0 None None None 2021-11-09 17:34:25 UTC

Description Marian Rehak 2021-05-18 12:16:23 UTC
A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file.



Upstream Patch:


Comment 1 Marian Rehak 2021-05-18 12:17:03 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961652]

Created mingw-exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1961651]

Comment 2 Todd Cullum 2021-05-24 22:45:26 UTC
Flaw summary:

The isWebPType() routine in src/webpimage.cpp is called after isCr2Type(). isCr2Type() never sets the seek back to SEEK_SET. When isWebPType() runs, it assumes that the iIo seek is at SEEK_SET and attempts to read 12 bytes of data into 3 buffers: `riff`, `data`, and `webp`. The `data` buffer is not used and thus discarded, but `riff` and `webp` are used in memcmp operations. Therefore, a crafted file could trigger this code path which can read up to 12 bytes of data past the end of iIo into the stack. We've set this to severity Low since the data is not explicitly stored and passed to other areas by this function, but it may still be reachable via some other extraneous path of exploitation and it is undefined behavior to read extraneous data.

The upstream patch uses calls to readOrThrow() instead of iIo.read() because they will catch the errors and throw Exiv2::kerCorruptedMetadata, rather than ignore them and proceed on.

Comment 4 errata-xmlrpc 2021-11-09 17:34:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4173 https://access.redhat.com/errata/RHSA-2021:4173

Note You need to log in before you can comment on or make changes to this bug.