Bug 1204818 (CVE-2022-3717) - VUL-0: CVE-2022-3717: exiv2: integer overflow in BmffImage::boxHandler
Summary: VUL-0: CVE-2022-3717: exiv2: integer overflow in BmffImage::boxHandler
Status: RESOLVED INVALID
Alias: CVE-2022-3717
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Dirk Mueller
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/346354/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-28 07:26 UTC by Thomas Leroy
Modified: 2022-10-28 07:28 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-10-28 07:26:57 UTC 
CVE-2022-3717

A vulnerability, which was classified as critical, has been found in Exiv2.
Affected by this issue is the function BmffImage::boxHandler of the file
bmffimage.cpp. The manipulation leads to memory corruption. The attack may be
launched remotely. The name of the patch is
a58e52ed702d3bc7b8bab7ec1d70a4849eebece3. It is recommended to apply a patch to
fix this issue. The identifier of this vulnerability is VDB-212348.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3717
https://www.cve.org/CVERecord?id=CVE-2022-3717
https://github.com/Exiv2/exiv2/commit/a58e52ed702d3bc7b8bab7ec1d70a4849eebece3
http://www.cvedetails.com/cve/CVE-2022-3717/
https://vuldb.com/?id.212348
Comment 1 Thomas Leroy 2022-10-28 07:28:05 UTC 
Buggy commit [0] very recent, none of the codestreams affected. Closing

[0] https://github.com/Exiv2/exiv2/commit/9a6ee59421fdfa0745a5f494a3dd19af78b03ce7