Bug 1990327 (CVE-2021-31291) - CVE-2021-31291 exiv2: Heap-based buffer overflow vulnerability in jp2image.cpp
Summary: CVE-2021-31291 exiv2: Heap-based buffer overflow vulnerability in jp2image.cpp
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31291
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989860 1990328 1990356 1990398 1990329 1990352 1990353 1990354 1990355 1990393 1990394 1990395 1990396 1990397 2002976
Blocks: 1990333
TreeView+ depends on / blocked
 
Reported: 2021-08-05 08:30 UTC by Marian Rehak
Modified: 2021-09-16 08:36 UTC (History)
4 users (show)

Fixed In Version: exiv2 0.27.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in exiv2. A flawed bounds checking in the jp2Image.cpp:doWriteMetadata function leads to a heap-based buffer overflow. This flaw allows an attacker who can provide a malicious image to an application using the exiv2 library, to write data out of bounds and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-16 13:28:20 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3152 0 None None None 2021-08-16 10:11:41 UTC
Red Hat Product Errata RHSA-2021:3153 0 None None None 2021-08-16 10:11:58 UTC
Red Hat Product Errata RHSA-2021:3158 0 None None None 2021-08-16 10:59:25 UTC
Red Hat Product Errata RHSA-2021:3230 0 None None None 2021-08-19 13:32:59 UTC
Red Hat Product Errata RHSA-2021:3231 0 None None None 2021-08-19 13:27:22 UTC
Red Hat Product Errata RHSA-2021:3232 0 None None None 2021-08-19 13:21:10 UTC
Red Hat Product Errata RHSA-2021:3233 0 None None None 2021-08-19 14:08:24 UTC
Red Hat Product Errata RHSA-2021:3234 0 None None None 2021-08-19 14:53:39 UTC

Description Marian Rehak 2021-08-05 08:30:26 UTC
A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata.

https://github.com/Exiv2/exiv2/issues/1529

Comment 1 Marian Rehak 2021-08-05 08:30:44 UTC
Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1990328]


Created mingw-exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1990329]

Comment 3 Riccardo Schirone 2021-08-05 09:34:30 UTC
ASAN report on debug build on tag: v0.27.3:
==536198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d0 at pc 0x7ffff6f812b6 bp 0x7fffffff9b30 sp 0x7fffffff9b28                                                    
WRITE of size 8 at 0x6020000000d0 thread T0                                                                                                                                                   
    #0 0x7ffff6f812b5 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:784                                                                                    
    #1 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631                                                                                                     
    #2 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155                                                                                                                                   
    #3 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231                                
    #4 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172                                                                                                                                          
    #5 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)                                                                                                                         
    #6 0x408ddd in _start (/tmp/exiv2/build-asan/bin/exiv2+0x408ddd)                                                                                                                          
                                                                                                                                                                                              
0x6020000000d2 is located 0 bytes to the right of 2-byte region [0x6020000000d0,0x6020000000d2)                                                                                               
allocated by thread T0 here:
    #0 0x7ffff7676cb7 in operator new[](unsigned long) (/lib64/libasan.so.6+0xaccb7)
    #1 0x7ffff6fe8aba in Exiv2::DataBuf::DataBuf(long) /tmp/exiv2/src/types.cpp:141
    #2 0x7ffff6f81177 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&) /tmp/exiv2/src/jp2image.cpp:783
    #3 0x7ffff6f7f890 in Exiv2::Jp2Image::writeMetadata() /tmp/exiv2/src/jp2image.cpp:631
    #4 0x45097b in metacopy /tmp/exiv2/src/actions.cpp:2155
    #5 0x44290b in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /tmp/exiv2/src/actions.cpp:1231
    #6 0x4094af in main /tmp/exiv2/src/exiv2.cpp:172
    #7 0x7ffff67ad1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)

Comment 4 Riccardo Schirone 2021-08-05 09:35:16 UTC
Upstream patch:
https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22

Comment 7 Riccardo Schirone 2021-08-05 09:53:02 UTC
The vulnerable code is the following:
```
            if (box.length == 1)
            {
            }

            DataBuf boxBuf(box.length);
            memcpy(boxBuf.pData_, bheaderBuf.pData_, 8);
```

If `box.length` is less than 8, the following memcpy would overwrite data on the heap, out of the buffer's bounds.

Comment 8 Riccardo Schirone 2021-08-05 09:55:56 UTC
Confidentiality, Integrity and Availability set to High (C:H/I:H/A:H) because this is an heap-based buffer overflow which could be used to write data in memory and potentially execute code. Attack Complexity set to High (AC:H) considering that ASLR still needs to be bypassed and it requires another flaw or some additional effort from an attacker.

Comment 10 errata-xmlrpc 2021-08-16 10:11:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3152 https://access.redhat.com/errata/RHSA-2021:3152

Comment 11 errata-xmlrpc 2021-08-16 10:11:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3153 https://access.redhat.com/errata/RHSA-2021:3153

Comment 12 errata-xmlrpc 2021-08-16 10:59:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3158 https://access.redhat.com/errata/RHSA-2021:3158

Comment 13 Product Security DevOps Team 2021-08-16 13:28:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31291

Comment 14 errata-xmlrpc 2021-08-19 13:21:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3232 https://access.redhat.com/errata/RHSA-2021:3232

Comment 15 errata-xmlrpc 2021-08-19 13:27:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3231 https://access.redhat.com/errata/RHSA-2021:3231

Comment 16 errata-xmlrpc 2021-08-19 13:32:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3230 https://access.redhat.com/errata/RHSA-2021:3230

Comment 17 errata-xmlrpc 2021-08-19 14:08:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3233 https://access.redhat.com/errata/RHSA-2021:3233

Comment 18 errata-xmlrpc 2021-08-19 14:53:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3234 https://access.redhat.com/errata/RHSA-2021:3234


Note You need to log in before you can comment on or make changes to this bug.