Bug 2058763 (CVE-2022-24614) - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
Summary: CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially cra...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24614
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2068597
Blocks: 2058768
TreeView+ depends on / blocked
 
Reported: 2022-02-25 19:40 UTC by Pedro Sampaio
Modified: 2022-07-07 19:38 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-07 19:38:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:22:37 UTC

Description Pedro Sampaio 2022-02-25 19:40:32 UTC 
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.

Upstream bug:

https://github.com/drewnoakes/metadata-extractor/issues/561
Comment 1 Patrick Del Bello 2022-03-25 18:39:01 UTC 
Created metadata-extractor2 tracking bugs for this issue:

Affects: epel-7 [bug 2068597]
Comment 6 errata-xmlrpc 2022-07-07 14:22:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 7 Product Security DevOps Team 2022-07-07 19:38:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24614
Note You need to log in before you can comment on or make changes to this bug.