Bug 1204823 (CVE-2022-3719)

Summary: VUL-0: CVE-2022-3719: exiv2: heap-based buffer overflow in QuickTime Video Handler
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/346352/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-3719:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-10-28 08:19:12 UTC 
CVE-2022-3719

A vulnerability has been found in Exiv2 and classified as critical. This
vulnerability affects the function QuickTimeVideo::userDataDecoder of the file
quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation
leads to heap-based buffer overflow. The attack can be initiated remotely. The
name of the patch is a38e124076138e529774d5ec9890d0731058115a. It is recommended
to apply a patch to fix this issue. VDB-212350 is the identifier assigned to
this vulnerability.

Upstream fix:
https://github.com/Exiv2/exiv2/commit/a38e124076138e529774d5ec9890d0731058115a

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3719
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51707
https://www.cve.org/CVERecord?id=CVE-2022-3719
https://github.com/Exiv2/exiv2/commit/a38e124076138e529774d5ec9890d0731058115a
http://www.cvedetails.com/cve/CVE-2022-3719/
https://vuldb.com/?id.212350
Comment 1 Thomas Leroy 2022-10-28 08:19:40 UTC 
Affected:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory
Comment 2 Dirk Mueller 2022-10-28 15:43:06 UTC 
this is invalid. Exiv2 0.27 and later have dropped that quicktime video handler due to low code quality. so the issue does not exist there. so SLE-15-SP4 and Factory are not affected. the commits exist in *git main* branch only as they resurrected the feature, but there isn't a released version with that functionality. calling CVE's for that is dubious imho at best.

The code does exist in 0.26, however it is disabled from compilation by default, so we're not affected.
Comment 3 Thomas Leroy 2022-10-31 08:36:05 UTC 
(In reply to Dirk Mueller from comment #2)
> this is invalid. Exiv2 0.27 and later have dropped that quicktime video
> handler due to low code quality. so the issue does not exist there. so
> SLE-15-SP4 and Factory are not affected. the commits exist in *git main*
> branch only as they resurrected the feature, but there isn't a released
> version with that functionality. calling CVE's for that is dubious imho at
> best.
> 
> The code does exist in 0.26, however it is disabled from compilation by
> default, so we're not affected.

Thanks for checking Dirk. Afaics sle15sp4 ships 0.26, which is also not affected.
Nothing affected, closing