Bug 1061023 - (CVE-2017-14860) VUL-0: exiv2: It is a heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (jp2image.cpp:277)
(CVE-2017-14860)
VUL-0: exiv2: It is a heap-buffer-overflow in Exiv2::Jp2Image::readMetadata (...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/192618/
CVSSv2:NVD:CVE-2017-14860:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-29 08:49 UTC by Victor Pereira
Modified: 2020-01-16 13:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proof of concept (7.45 KB, image/jp2)
2017-10-17 11:22 UTC, Victor Pereira
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-29 08:49:07 UTC
rh#1494776

There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata
function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of
service attack.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1494776
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14860
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14860.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
Comment 1 Victor Pereira 2017-10-17 11:22:50 UTC
Created attachment 744748 [details]
proof of concept
Comment 2 Dirk Mueller 2017-10-17 13:16:39 UTC
This does not apply to exiv 0.25 or older, the relevant code part was only added in 0.26.
Comment 3 Johannes Segitz 2018-05-04 16:14:38 UTC
Unfixed in Factory
Comment 4 Dirk Mueller 2018-05-30 11:28:48 UTC
filed https://github.com/Exiv2/exiv2/issues/336 for this
Comment 5 Swamp Workflow Management 2018-07-05 10:12:30 UTC
SUSE-SU-2018:1882-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023
CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    exiv2-0.26-6.3.1
Comment 6 Swamp Workflow Management 2018-07-14 01:10:59 UTC
openSUSE-SU-2018:1961-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1048883,1050257,1051188,1054590,1054592,1054593,1060995,1060996,1061000,1061023
CVE References: CVE-2017-11337,CVE-2017-11338,CVE-2017-11339,CVE-2017-11340,CVE-2017-11553,CVE-2017-11591,CVE-2017-11592,CVE-2017-11683,CVE-2017-12955,CVE-2017-12956,CVE-2017-12957,CVE-2017-14859,CVE-2017-14860,CVE-2017-14862,CVE-2017-14864
Sources used:
openSUSE Leap 15.0 (src):    exiv2-0.26-lp150.5.3.1
Comment 7 Dirk Mueller 2018-10-16 21:12:07 UTC
(In reply to Johannes Segitz from comment #3)
> Unfixed in Factory

This is fixed in factory:

-------------------------------------------------------------------
Wed May 30 11:36:20 UTC 2018 - dmueller@suse.com

- update to latest 0.26 branch:
  * obsoletes 0001-Use-more-GNUInstallDirs.patch
  d4e4288d839d0d9546a05986771f8738c382060c.patch
  gcc-version-check.patch
  7f5b0778fa301b68c1c88e3820ec3afbd09dd0a5.patch
  fix-crash.patch
  * adds exiv2-update-to-0.26-branch.patch
  * Fixes CVE-2017-14864 (bsc#1060995),
  CVE-2017-14862 (bsc#1060996), CVE-2017-14859 (bsc#1061000)
  CVE-2017-14860 (bsc#1048883), CVE-2017-11337 (bsc#1048883),
  CVE-2017-11338 (bsc#1048883), CVE-2017-11339 (bsc#1048883),
  CVE-2017-11340 (bsc#1048883), CVE-2017-11553,
  CVE-2017-12955 (bsc#1054593), CVE-2017-12956,
  CVE-2017-12957, CVE-2017-11683, CVE-2017-11592,
  CVE-2017-11591 (bsc#1050257)
Comment 8 Dirk Mueller 2018-10-30 08:50:33 UTC
can we close this?
Comment 9 Wolfgang Frisch 2020-01-16 13:50:55 UTC
Fixed in Leap 15.1.