1773683 – (CVE-2019-17402) CVE-2019-17402 exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check

Bug 1773683 (CVE-2019-17402) - CVE-2019-17402 exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check

Summary: CVE-2019-17402 exiv2: out-of-bounds read in CiffDirectory::readDirectory due ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-17402
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1773684 1775695 1775696 1954494
Blocks:	1773685
TreeView+	depends on / blocked

Reported:	2019-11-18 17:47 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-05-18 14:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:	exiv2 0.27.3
Clone Of:
Environment:
Last Closed:	2020-09-29 21:58:53 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4030	0	None	None	None	2020-09-29 20:42:47 UTC

Description Guilherme de Almeida Suckevicz 2019-11-18 17:47:30 UTC

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

Reference:
http://github.com/Exiv2/exiv2/issues/1019

Comment 1 Guilherme de Almeida Suckevicz 2019-11-18 17:47:41 UTC

Created exiv2 tracking bugs for this issue:

Affects: fedora-all [bug 1773684]

Comment 2 Riccardo Schirone 2019-11-22 14:43:17 UTC

Upstream patch:
http://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076 [master branch]
http://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec [0.27-maintanance branch]

Opened upstream issue to discuss improving the fix:
http://github.com/Exiv2/exiv2/issues/1026

Comment 3 Riccardo Schirone 2019-11-22 15:24:19 UTC

No release yet includes the fix.

Comment 4 Riccardo Schirone 2019-11-22 15:27:06 UTC

Function CiffDirectory::readDirectory(), called by CiffDirectory::doRead(), assumes that the buffer `pData` is at least `size` bytes large. This is not always true, as the `size` value is read from the image itself (in CiffComponent::doRead() function) and there are not enough checks to ensure this holds true.

Comment 9 errata-xmlrpc 2020-09-29 20:42:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4030 http://access.redhat.com/errata/RHSA-2020:4030

Comment 10 Product Security DevOps Team 2020-09-29 21:58:53 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

http://access.redhat.com/security/cve/cve-2019-17402

Comment 12 errata-xmlrpc 2021-05-18 14:49:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1758 http://access.redhat.com/errata/RHSA-2021:1758

Note You need to log in before you can comment on or make changes to this bug.