Bug 1061025 - (CVE-2017-14858) VUL-1: CVE-2017-14858: exiv2: It is a heap-buffer-overflow in Exiv2::l2Data (types.cpp:398)
(CVE-2017-14858)
VUL-1: CVE-2017-14858: exiv2: It is a heap-buffer-overflow in Exiv2::l2Data (...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Dirk Mueller
Security Team bot
https://smash.suse.de/issue/192616/
CVSSv3.1:SUSE:CVE-2017-14858:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-29 08:51 UTC by Victor Pereira
Modified: 2022-11-14 10:13 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-29 08:51:35 UTC
rh#1494782

There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp
in Exiv2 0.26. A Crafted input will lead to a denial of service attack.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1494782
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14858
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14858.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14858
Comment 5 Dirk Mueller 2020-03-23 17:01:29 UTC
this was fixed in https://github.com/Exiv2/exiv2/issues/138 which was fixed in the maintenance update:
-------------------------------------------------------------------
Wed May 30 11:36:20 UTC 2018 - dmueller@suse.com

- update to latest 0.26 branch:
  * obsoletes 0001-Use-more-GNUInstallDirs.patch
  d4e4288d839d0d9546a05986771f8738c382060c.patch
  gcc-version-check.patch
  7f5b0778fa301b68c1c88e3820ec3afbd09dd0a5.patch
  fix-crash.patch
  * adds exiv2-update-to-0.26-branch.patch
  * Fixes CVE-2017-14864 (bsc#1060995),
  CVE-2017-14862 (bsc#1060996), CVE-2017-14859 (bsc#1061000)
  CVE-2017-14860 (bsc#1048883), CVE-2017-11337 (bsc#1048883),
  CVE-2017-11338 (bsc#1048883), CVE-2017-11339 (bsc#1048883),
  CVE-2017-11340 (bsc#1048883), CVE-2017-11553,
  CVE-2017-12955 (bsc#1054593), CVE-2017-12956,
  CVE-2017-12957, CVE-2017-11683, CVE-2017-11592,
  CVE-2017-11591 (bsc#1050257)
Comment 10 Dirk Mueller 2022-11-12 13:47:56 UTC
Here's the output of exiv2 0.23: 

src/exiv2 -p s -P E ~/Downloads/007-heap-buffer-over
exiv2: Ignoring surplus option -PE
Error: Offset of directory Image, entry 0x0100 is out of bounds: Offset = 0x30303030; truncating the entry
Warning: Directory Image, entry 0x0111: Strip 17 is outside of the data area; ignored.
Error: Directory Photo with 8224 entries considered invalid; not read.
Warning: Removing 913 characters from the beginning of the XMP packet
Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
File name       : /home/dirk/Downloads/007-heap-buffer-over
File size       : 331696 Bytes
MIME type       : image/tiff
Image size      : 0 x 12336
Camera make     : 000
Camera model    : 0000000000000
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    :