1219870 – (CVE-2024-24826) VUL-0: CVE-2024-24826: exiv2,exiv2-0_26: out-of-bounds read in QuickTimeVideo:NikonTagsDecoder

Bug 1219870 (CVE-2024-24826) - VUL-0: CVE-2024-24826: exiv2,exiv2-0_26: out-of-bounds read in QuickTimeVideo:NikonTagsDecoder

Summary: VUL-0: CVE-2024-24826: exiv2,exiv2-0_26: out-of-bounds read in QuickTimeVide...

Status:	RESOLVED FIXED

Alias:	CVE-2024-24826

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/393779/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-24826:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-13 09:23 UTC by SMASH SMASH
Modified:	2024-03-25 13:57 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-13 09:23:10 UTC

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.1. The vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. In most cases this out of bounds read will result in a crash. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24826
https://www.cve.org/CVERecord?id=CVE-2024-24826
https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w
https://bugzilla.redhat.com/show_bug.cgi?id=2263978

Comment 2 Andrea Mattiazzo 2024-02-13 09:32:58 UTC

Patch (not merged upstream yet):
https://github.com/Exiv2/exiv2/pull/2916

Comment 3 Andrea Mattiazzo 2024-02-13 09:35:22 UTC

Tracking as affected:
- SUSE:SLE-15-SP4:Update/exiv2
- SUSE:SLE-15-SP4:Update/exiv2-0_26
- SUSE:SLE-15:Update/exiv2
- openSUSE:Factory/exiv2

Comment 4 OBSbugzilla Bot 2024-02-28 17:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1219870) was mentioned in
https://build.opensuse.org/request/show/1152963 Factory / exiv2

Comment 5 Dirk Mueller 2024-03-01 09:47:51 UTC

as the comment #0 says, versions before 0.28 are not affected. the listed code streams are all 0.27 and older and hence are not affected.

Comment 6 Dirk Mueller 2024-03-25 13:00:01 UTC

https://www.suse.com/de-de/security/cve/CVE-2024-24826.html still lists products as affected. can you please set them to "not affected" ?

Comment 7 Andrea Mattiazzo 2024-03-25 13:56:24 UTC

(In reply to Dirk Mueller from comment #6)
> https://www.suse.com/de-de/security/cve/CVE-2024-24826.html still lists
> products as affected. can you please set them to "not affected" ?

Done, the tool skipped some code stream, now they should all be listed not affected. It will take some time to update.

Comment 8 Andrea Mattiazzo 2024-03-25 13:57:18 UTC

(In reply to Andrea Mattiazzo from comment #7)
> (In reply to Dirk Mueller from comment #6)
> > https://www.suse.com/de-de/security/cve/CVE-2024-24826.html still lists
> > products as affected. can you please set them to "not affected" ?
> 
> Done, the tool skipped some code stream, now they should all be listed not
> affected. It will take some time to update.