Bug 1088422 - (CVE-2018-9304) VUL-1: CVE-2018-9304: exiv2: divide by zero in BigTiffImage::printIFD in bigtiffimage.cpp could result in denial of service.
(CVE-2018-9304)
VUL-1: CVE-2018-9304: exiv2: divide by zero in BigTiffImage::printIFD in bigt...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Dirk Mueller
Security Team bot
https://smash.suse.de/issue/203205/
CVSSv3:SUSE:CVE-2018-9304:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-06 07:51 UTC by Karol Babioch
Modified: 2019-03-28 23:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (24 bytes, application/octet-stream)
2018-04-06 07:52 UTC, Karol Babioch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-04-06 07:51:33 UTC
CVE-2018-9304

In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in bigtiffimage.cpp could result in denial of service. 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9304
http://www.cvedetails.com/cve/CVE-2018-9304/
https://github.com/Exiv2/exiv2/issues/262
https://github.com/xiaoqx/pocs/blob/master/exiv2/readme.md
Comment 1 Karol Babioch 2018-04-06 07:52:41 UTC
Created attachment 766214 [details]
Reproducer
Comment 2 Karol Babioch 2018-04-06 07:53:15 UTC
==6016== Memcheck, a memory error detector
==6016== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==6016== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==6016== Command: exiv2 -pX 7-printIFD-divbyzero-1
==6016== 
==6016== Conditional jump or move depends on uninitialised value(s)
==6016==    at 0x4C3013D: __memcmp_sse4_1 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6016==    by 0x4FDDE38: Exiv2::isTgaType(Exiv2::BasicIo&, bool) (in /usr/lib64/libexiv2.so.14.0.0)
==6016==    by 0x4F8F6B5: Exiv2::ImageFactory::open(std::auto_ptr<Exiv2::BasicIo>) (in /usr/lib64/libexiv2.so.14.0.0)
==6016==    by 0x4F8F8E8: Exiv2::ImageFactory::open(std::string const&, bool) (in /usr/lib64/libexiv2.so.14.0.0)
==6016==    by 0x416267: Action::Print::printStructure(std::ostream&, Exiv2::PrintStructureOption) (in /usr/bin/exiv2)
==6016==    by 0x41D021: Action::Print::run(std::string const&) (in /usr/bin/exiv2)
==6016==    by 0x409859: main (in /usr/bin/exiv2)
==6016== 
==6016== Conditional jump or move depends on uninitialised value(s)
==6016==    at 0x4F8F6B8: Exiv2::ImageFactory::open(std::auto_ptr<Exiv2::BasicIo>) (in /usr/lib64/libexiv2.so.14.0.0)
==6016==    by 0x4F8F8E8: Exiv2::ImageFactory::open(std::string const&, bool) (in /usr/lib64/libexiv2.so.14.0.0)
==6016==    by 0x416267: Action::Print::printStructure(std::ostream&, Exiv2::PrintStructureOption) (in /usr/bin/exiv2)
==6016==    by 0x41D021: Action::Print::run(std::string const&) (in /usr/bin/exiv2)
==6016==    by 0x409859: main (in /usr/bin/exiv2)
==6016== 
Exiv2 exception in print action for file 7-printIFD-divbyzero-1:
7-printIFD-divbyzero-1: The file contains data of an unknown image type
==6016== 
==6016== HEAP SUMMARY:
==6016==     in use at exit: 0 bytes in 0 blocks
==6016==   total heap usage: 184 allocs, 184 frees, 82,980 bytes allocated
==6016== 
==6016== All heap blocks were freed -- no leaks are possible
==6016== 
==6016== For counts of detected and suppressed errors, rerun with: -v
==6016== Use --track-origins=yes to see where uninitialised values come from
==6016== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Comment 3 Johannes Segitz 2018-09-14 07:59:05 UTC
SUSE will not provide a fix for this issue since the risk to our customers posed by this is negligible.