Bug 1204820 - (CVE-2022-3718) VUL-0: CVE-2022-3718: exiv2: null pointer dereference in QuickTime Video Handler
(CVE-2022-3718)
VUL-0: CVE-2022-3718: exiv2: null pointer dereference in QuickTime Video Handler
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/346353/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-28 07:57 UTC by Thomas Leroy
Modified: 2022-10-31 08:36 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-10-28 07:57:35 UTC
CVE-2022-3718

A vulnerability, which was classified as problematic, was found in Exiv2. This
affects the function QuickTimeVideo::decodeBlock of the file quicktimevideo.cpp
of the component QuickTime Video Handler. The manipulation leads to null pointer
dereference. It is possible to initiate the attack remotely. The name of the
patch is 459910c36a21369c09b75bcfa82f287c9da56abf. It is recommended to apply a
patch to fix this issue. The identifier VDB-212349 was assigned to this
vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3718
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52053
https://www.cve.org/CVERecord?id=CVE-2022-3718
https://github.com/Exiv2/exiv2/commit/459910c36a21369c09b75bcfa82f287c9da56abf
http://www.cvedetails.com/cve/CVE-2022-3718/
https://vuldb.com/?id.212349
Comment 1 Thomas Leroy 2022-10-28 07:58:08 UTC
Affected:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory
Comment 2 Dirk Mueller 2022-10-28 16:19:14 UTC
this is invalid. Exiv2 0.27 and later have dropped that quicktime video handler
due to low code quality. so the issue does not exist there. so SLE-15-SP4 and
Factory are not affected. the commits exist in *git main* branch only as they
resurrected the feature, but there isn't a released version with that
functionality. calling CVE's for that is dubious imho at best.

The code does exist in 0.26, however it is disabled from compilation by
default, so we're not affected.
Comment 3 Thomas Leroy 2022-10-31 08:36:32 UTC
(In reply to Dirk Mueller from comment #2)
> this is invalid. Exiv2 0.27 and later have dropped that quicktime video
> handler
> due to low code quality. so the issue does not exist there. so SLE-15-SP4 and
> Factory are not affected. the commits exist in *git main* branch only as they
> resurrected the feature, but there isn't a released version with that
> functionality. calling CVE's for that is dubious imho at best.
> 
> The code does exist in 0.26, however it is disabled from compilation by
> default, so we're not affected.

Thanks for checking Dirk. Afaics sle15sp4 ships 0.26, which is also not affected.
Nothing affected, closing