Bug 1204820 – VUL-0: CVE-2022-3718: exiv2: null pointer dereference in QuickTime Video Handler

Bug 1204820 - (CVE-2022-3718) VUL-0: CVE-2022-3718: exiv2: null pointer dereference in QuickTime Video Handler

(CVE-2022-3718)
Summary:	VUL-0: CVE-2022-3718: exiv2: null pointer dereference in QuickTime Video Handler

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/346353/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-10-28 07:57 UTC by Thomas Leroy
Modified:	2022-10-31 08:36 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-10-28 07:57:35 UTC

CVE-2022-3718

A vulnerability, which was classified as problematic, was found in Exiv2. This
affects the function QuickTimeVideo::decodeBlock of the file quicktimevideo.cpp
of the component QuickTime Video Handler. The manipulation leads to null pointer
dereference. It is possible to initiate the attack remotely. The name of the
patch is 459910c36a21369c09b75bcfa82f287c9da56abf. It is recommended to apply a
patch to fix this issue. The identifier VDB-212349 was assigned to this
vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3718
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52053
https://www.cve.org/CVERecord?id=CVE-2022-3718
https://github.com/Exiv2/exiv2/commit/459910c36a21369c09b75bcfa82f287c9da56abf
http://www.cvedetails.com/cve/CVE-2022-3718/
https://vuldb.com/?id.212349

Comment 1 Thomas Leroy 2022-10-28 07:58:08 UTC

Affected:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory

Comment 2 Dirk Mueller 2022-10-28 16:19:14 UTC

this is invalid. Exiv2 0.27 and later have dropped that quicktime video handler
due to low code quality. so the issue does not exist there. so SLE-15-SP4 and
Factory are not affected. the commits exist in *git main* branch only as they
resurrected the feature, but there isn't a released version with that
functionality. calling CVE's for that is dubious imho at best.

The code does exist in 0.26, however it is disabled from compilation by
default, so we're not affected.

Comment 3 Thomas Leroy 2022-10-31 08:36:32 UTC

(In reply to Dirk Mueller from comment #2)
> this is invalid. Exiv2 0.27 and later have dropped that quicktime video
> handler
> due to low code quality. so the issue does not exist there. so SLE-15-SP4 and
> Factory are not affected. the commits exist in *git main* branch only as they
> resurrected the feature, but there isn't a released version with that
> functionality. calling CVE's for that is dubious imho at best.
> 
> The code does exist in 0.26, however it is disabled from compilation by
> default, so we're not affected.

Thanks for checking Dirk. Afaics sle15sp4 ships 0.26, which is also not affected.
Nothing affected, closing