Bug 1061025 (CVE-2017-14858)

Summary: VUL-1: CVE-2017-14858: exiv2: It is a heap-buffer-overflow in Exiv2::l2Data (types.cpp:398)
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Dirk Mueller <dmueller>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, atoptsoglou, dmueller, gabriele.sonnu, rfrohl, security-team, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/192616/
Whiteboard: CVSSv3.1:SUSE:CVE-2017-14858:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2017-09-29 08:51:35 UTC

There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp
in Exiv2 0.26. A Crafted input will lead to a denial of service attack.

Comment 5 Dirk Mueller 2020-03-23 17:01:29 UTC
this was fixed in https://github.com/Exiv2/exiv2/issues/138 which was fixed in the maintenance update:
Wed May 30 11:36:20 UTC 2018 - dmueller@suse.com

- update to latest 0.26 branch:
  * obsoletes 0001-Use-more-GNUInstallDirs.patch
  * adds exiv2-update-to-0.26-branch.patch
  * Fixes CVE-2017-14864 (bsc#1060995),
  CVE-2017-14862 (bsc#1060996), CVE-2017-14859 (bsc#1061000)
  CVE-2017-14860 (bsc#1048883), CVE-2017-11337 (bsc#1048883),
  CVE-2017-11338 (bsc#1048883), CVE-2017-11339 (bsc#1048883),
  CVE-2017-11340 (bsc#1048883), CVE-2017-11553,
  CVE-2017-12955 (bsc#1054593), CVE-2017-12956,
  CVE-2017-12957, CVE-2017-11683, CVE-2017-11592,
  CVE-2017-11591 (bsc#1050257)
Comment 10 Dirk Mueller 2022-11-12 13:47:56 UTC
Here's the output of exiv2 0.23: 

src/exiv2 -p s -P E ~/Downloads/007-heap-buffer-over
exiv2: Ignoring surplus option -PE
Error: Offset of directory Image, entry 0x0100 is out of bounds: Offset = 0x30303030; truncating the entry
Warning: Directory Image, entry 0x0111: Strip 17 is outside of the data area; ignored.
Error: Directory Photo with 8224 entries considered invalid; not read.
Warning: Removing 913 characters from the beginning of the XMP packet
Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
File name       : /home/dirk/Downloads/007-heap-buffer-over
File size       : 331696 Bytes
MIME type       : image/tiff
Image size      : 0 x 12336
Camera make     : 000
Camera model    : 0000000000000
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    :