Bug 1109299 - (CVE-2018-17282) VUL-1: CVE-2018-17282: exiv2: The function Exiv2:DataValue:copy in value.cpp has a NULL pointer dereference
(CVE-2018-17282)
VUL-1: CVE-2018-17282: exiv2: The function Exiv2:DataValue:copy in value.cpp ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/215314/
CVSSv2:NVD:CVE-2018-17282:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-21 12:37 UTC by Karol Babioch
Modified: 2022-09-28 16:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA reproducer (112 bytes, image/tiff)
2018-09-21 12:44 UTC, Karol Babioch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-21 12:37:53 UTC
CVE-2018-17282

An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in
value.cpp has a NULL pointer dereference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17282
https://github.com/Exiv2/exiv2/issues/457
Comment 1 Karol Babioch 2018-09-21 12:44:42 UTC
Created attachment 783876 [details]
QA reproducer
Comment 2 Karol Babioch 2018-09-21 12:45:28 UTC
Does not trigger for me:

valgrind exiv2 poc8-DataValue\ copy 
==2274== Memcheck, a memory error detector
==2274== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2274== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==2274== Command: exiv2 poc8-DataValue\ copy
==2274== 
invalid type value detected in Image::printIFDStructure:  0
Error: Directory Image: IFD entry 9 lies outside of the data buffer.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 372984319*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18735; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x49000000; truncating the entry
Warning: Directory Image, entry 0x0049 has unknown Exif (TIFF) type 16511; setting type size 1.
Error: Offset of directory Image, entry 0x0049 is out of bounds: Offset = 0x45740000; truncating the entry
Warning: Directory Image, entry 0x7458 has unknown Exif (TIFF) type 9216; setting type size 1.
Error: Offset of directory Image, entry 0x7458 is out of bounds: Offset = 0x40004000; truncating the entry
Warning: Directory Image, entry 0x00fa has unknown Exif (TIFF) type 64000; setting type size 1.
Error: Offset of directory Image, entry 0x00fa is out of bounds: Offset = 0xf5ffffff; truncating the entry
Warning: Directory Image, entry 0xf5f5 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0xf5f5 is out of bounds: Offset = 0x0000f601; truncating the entry
Warning: Directory Image, entry 0x6564 has unknown Exif (TIFF) type 25459; setting type size 1.
Error: Directory Image, entry 0x6564 has invalid size 1313163634*1; skipping entry.
Warning: Directory Image, entry 0x8773 has unknown Exif (TIFF) type 64; setting type size 1.
Warning: Directory Image, entry 0x02e4 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x02e4 is out of bounds: Offset = 0x24590080; truncating the entry
File name       : poc8-DataValue copy
File size       : 112 Bytes
MIME type       : image/tiff
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 

==2274== 
==2274== HEAP SUMMARY:
==2274==     in use at exit: 0 bytes in 0 blocks
==2274==   total heap usage: 2,619 allocs, 2,619 frees, 314,322 bytes allocated
==2274== 
==2274== All heap blocks were freed -- no leaks are possible
==2274== 
==2274== For counts of detected and suppressed errors, rerun with: -v
==2274== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 4 Dirk Mueller 2020-03-24 20:01:53 UTC
Only v0.26+ is affected, added to the SLE15+ submission.
Comment 6 Swamp Workflow Management 2020-04-03 19:19:10 UTC
SUSE-SU-2020:0921-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1040973,1068873,1088424,1097599,1097600,1109175,1109176,1109299,1115364,1117513,1142684
CVE References: CVE-2017-1000126,CVE-2017-9239,CVE-2018-12264,CVE-2018-12265,CVE-2018-17229,CVE-2018-17230,CVE-2018-17282,CVE-2018-19108,CVE-2018-19607,CVE-2018-9305,CVE-2019-13114
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    exiv2-0.26-6.8.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    exiv2-0.26-6.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-08 22:14:11 UTC
openSUSE-SU-2020:0482-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1040973,1068873,1088424,1097599,1097600,1109175,1109176,1109299,1115364,1117513,1142684
CVE References: CVE-2017-1000126,CVE-2017-9239,CVE-2018-12264,CVE-2018-12265,CVE-2018-17229,CVE-2018-17230,CVE-2018-17282,CVE-2018-19108,CVE-2018-19607,CVE-2018-9305,CVE-2019-13114
Sources used:
openSUSE Leap 15.1 (src):    exiv2-0.26-lp151.7.3.1
Comment 8 Alexandros Toptsoglou 2020-07-10 14:39:49 UTC
Done