Bugzilla – Bug 1048883
VUL-1: CVE-2017-11336, CVE-2017-11337, CVE-2017-11338, CVE-2017-11339, CVE-2017-11340: exiv2: Multiple issues
Last modified: 2022-10-28 17:28:39 UTC
We received reports about the attached reproducers triggering the following problems in exiv2: CVE-2017-11336 There is a heap-based buffer over-read in the Image::printIFDStructure function in image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service attack. Reproducer: POC2 https://bugzilla.redhat.com/show_bug.cgi?id=1470729 CVE-2017-11337 There is an invalid free in Action::TaskFactory::cleanup funtion of actions.cpp in exiv2. A crafted input will lead to remote denial of service attack. Reproducer: POC3 https://bugzilla.redhat.com/show_bug.cgi?id=1470737 CVE-2017-11338 There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service attack. Reproducer: POC4 https://bugzilla.redhat.com/show_bug.cgi?id=1470913 CVE-2017-11339 There is a heap-based buffer overflow in the Image::printIFDStructure function of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service attack. Reproducer: POC5 https://bugzilla.redhat.com/show_bug.cgi?id=1470946 CVE-2017-11340 There is a Segmentation fault in the XmpParser::terminate() function in Exiv2 0.26, related to an exit call. A Crafted input will lead to a remote denial of service attack. Reproducer: POC6 https://bugzilla.redhat.com/show_bug.cgi?id=1470950 I tried to reproduce the issues, but none of the reproducers trigger for me. Do we have something special in our packages that might mitigate the problems?
CVE-2017-11336 - affects only factory exiv2 0.26 (not 0.25) CVE-2017-11337 - affects only factory exiv2 0.26 (not 0.25) CVE-2017-11338 - affects only factory exiv2 0.26 (not 0.25) CVE-2017-11339 - affects only factory exiv2 0.26 (not 0.25) CVE-2017-11340 - affects only factory exiv2 0.26 (not 0.25) This is largely all in the same place, printIFDStructure and might even be dups I think.
fixed as part of https://github.com/Exiv2/exiv2/pull/120 which I submitted to Factory now.
This is an autogenerated message for OBS integration: This bug (1048883) was mentioned in https://build.opensuse.org/request/show/613049 Factory / exiv2
SUSE-SU-2018:1882-1: An update that fixes 15 vulnerabilities is now available. Category: security (moderate) Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023 CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864 Sources used: SUSE Linux Enterprise Module for Desktop Applications 15 (src): exiv2-0.26-6.3.1
done
openSUSE-SU-2018:1961-1: An update that fixes 15 vulnerabilities is now available. Category: security (moderate) Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023 CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864 Sources used: openSUSE Leap 15.0 (src): exiv2-0.26-lp150.5.3.1