Bug 1061023 (CVE-2017-14860)

Summary: VUL-0: exiv2: It is a heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (jp2image.cpp:277)
Product: [openSUSE] openSUSE Distribution Reporter: Victor Pereira <vpereira>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P3 - Medium CC: smash_bz, wolfgang.frisch
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/192618/
Whiteboard: CVSSv2:NVD:CVE-2017-14860:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2017-14860:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: proof of concept

Description Victor Pereira 2017-09-29 08:49:07 UTC 
rh#1494776

There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata
function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of
service attack.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1494776
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14860
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14860.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
Comment 1 Victor Pereira 2017-10-17 11:22:50 UTC 
Created attachment 744748 [details]
proof of concept
Comment 2 Dirk Mueller 2017-10-17 13:16:39 UTC 
This does not apply to exiv 0.25 or older, the relevant code part was only added in 0.26.
Comment 3 Johannes Segitz 2018-05-04 16:14:38 UTC 
Unfixed in Factory
Comment 4 Dirk Mueller 2018-05-30 11:28:48 UTC 
filed https://github.com/Exiv2/exiv2/issues/336 for this
Comment 5 Swamp Workflow Management 2018-07-05 10:12:30 UTC 
SUSE-SU-2018:1882-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023
CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    exiv2-0.26-6.3.1
Comment 6 Swamp Workflow Management 2018-07-14 01:10:59 UTC 
openSUSE-SU-2018:1961-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023
CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864
Sources used:
openSUSE Leap 15.0 (src):    exiv2-0.26-lp150.5.3.1
Comment 7 Dirk Mueller 2018-10-16 21:12:07 UTC 
(In reply to Johannes Segitz from comment #3)
> Unfixed in Factory

This is fixed in factory:

-------------------------------------------------------------------
Wed May 30 11:36:20 UTC 2018 - dmueller@suse.com

- update to latest 0.26 branch:
  * obsoletes 0001-Use-more-GNUInstallDirs.patch
  d4e4288d839d0d9546a05986771f8738c382060c.patch
  gcc-version-check.patch
  7f5b0778fa301b68c1c88e3820ec3afbd09dd0a5.patch
  fix-crash.patch
  * adds exiv2-update-to-0.26-branch.patch
  * Fixes CVE-2017-14864 (bsc#1060995),
  CVE-2017-14862 (bsc#1060996), CVE-2017-14859 (bsc#1061000)
  CVE-2017-14860 (bsc#1048883), CVE-2017-11337 (bsc#1048883),
  CVE-2017-11338 (bsc#1048883), CVE-2017-11339 (bsc#1048883),
  CVE-2017-11340 (bsc#1048883), CVE-2017-11553,
  CVE-2017-12955 (bsc#1054593), CVE-2017-12956,
  CVE-2017-12957, CVE-2017-11683, CVE-2017-11592,
  CVE-2017-11591 (bsc#1050257)
Comment 8 Dirk Mueller 2018-10-30 08:50:33 UTC 
can we close this?
Comment 9 Wolfgang Frisch 2020-01-16 13:50:55 UTC 
Fixed in Leap 15.1.