Bug 1205391 (CVE-2022-3953)

Summary: VUL-0: CVE-2022-3953: exiv2: infinite loop in QuickTimeVideo::multipleEntriesDecoder()
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/347844/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-3953:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-11-14 09:50:07 UTC 
CVE-2022-3953

A vulnerability was found in Exiv2. It has been classified as problematic. This
affects the function QuickTimeVideo::multipleEntriesDecoder of the file
quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation
leads to infinite loop. It is possible to initiate the attack remotely. The name
of the patch is 771ead87321ae6e39e5c9f6f0855c58cde6648f1. It is recommended to
apply a patch to fix this issue. The associated identifier of this vulnerability
is VDB-213459.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3953
https://github.com/Exiv2/exiv2/commit/771ead87321ae6e39e5c9f6f0855c58cde6648f1
https://www.cve.org/CVERecord?id=CVE-2022-3953
https://github.com/Exiv2/exiv2/pull/2394
https://vuldb.com/?id.213459
Comment 1 Carlos López 2022-11-14 09:51:27 UTC 
Affected:
- SUSE:SLE-15:Update/exiv2
- SUSE:SLE-15-SP4:Update/exiv2
- openSUSE:Factory/exiv2
Comment 2 Dirk Mueller 2022-11-14 12:07:14 UTC 
How did you determine that we're affected? quicktime video is not compiled on SLE15-SP4 and older: 

iosc rbl SUSE:SLE-15-SP4:Update exiv2.26338 standard x86_64 | grep "Building video"
[   78s] -- Building video support:             NO
Comment 3 Carlos López 2022-11-14 12:12:41 UTC 
(In reply to Dirk Mueller from comment #2)
> How did you determine that we're affected? quicktime video is not compiled
> on SLE15-SP4 and older: 
> 
> iosc rbl SUSE:SLE-15-SP4:Update exiv2.26338 standard x86_64 | grep "Building
> video"
> [   78s] -- Building video support:             NO

I only examined the codebase, not the build options, you're right. On SUSE:SLE-15:Update/exiv2 it seems we do not enable it as well:

exiv2.spec:119:  -DEXIV2_ENABLE_VIDEO:BOOL=OFF \

Closing the bug, nothing to fix.
Comment 4 OBSbugzilla Bot 2022-11-14 13:35:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1205391) was mentioned in
https://build.opensuse.org/request/show/1035633 Factory / exiv2
Comment 5 OBSbugzilla Bot 2022-11-14 23:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1205391) was mentioned in
https://build.opensuse.org/request/show/1035724 Factory / exiv2