Bugzilla – Bug 1153577
VUL-1: CVE-2019-17402: exiv2:improper validation of the total size to the offset and size leads to a crash in Exiv2::getULong in types.cpp
Last modified: 2024-05-06 12:22:45 UTC
CVE-2019-17402 Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17402 https://github.com/Exiv2/exiv2/issues/1019
Created attachment 821030 [details] POC valgrind exiv2 -pv $POC
Created attachment 821031 [details] manual triggering compile it: g++ exiv-test.cpp -o exiv-test -lexiv2 -g and run valgrind ./exiv-test $POC
POC tested against SLE15 and SLE12 successfully. Code review suggests that in SLE11 the fix[1] is applicable. [1] https://github.com/Exiv2/exiv2/pull/1027/commits/b7890776c62398ca1005e8edc32786859d60fcf7
Valgrind OUTPUT: ==18624== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==18624== Access not within mapped region at address 0x4026143 ==18624== at 0x4F74F28: Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) (types.cpp:227) ==18624== by 0x4EDC7F9: Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) (crwimage.cpp:459) ==18624== by 0x4EDC8C3: read (crwimage.cpp:408) ==18624== by 0x4EDC8C3: Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) (crwimage.cpp:476) ==18624== by 0x4EDCC92: Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) (crwimage.cpp:186) ==18624== by 0x4EDE5EF: Exiv2::CrwImage::readMetadata() (crwimage.cpp:143) ==18624== by 0x40172A: main (exiv-test.cpp:13) ==18624== If you believe this happened as a result of a stack ==18624== overflow in your program's main thread (unlikely but ==18624== possible), you can try to increase the size of the ==18624== main thread stack using the --main-stacksize= flag. ==18624== The main thread stack size used in this run was 8388608. ==18624== ==18624== HEAP SUMMARY: ==18624== in use at exit: 3,133 bytes in 31 blocks ==18624== total heap usage: 36 allocs, 5 frees, 76,995 bytes allocated ==18624== ==18624== LEAK SUMMARY: ==18624== definitely lost: 0 bytes in 0 blocks ==18624== indirectly lost: 0 bytes in 0 blocks ==18624== possibly lost: 0 bytes in 0 blocks ==18624== still reachable: 3,133 bytes in 31 blocks ==18624== of which reachable via heuristic: ==18624== stdstring : 1,097 bytes in 20 blocks ==18624== suppressed: 0 bytes in 0 blocks ==18624== Rerun with --leak-check=full to see details of leaked memory ==18624== ==18624== For counts of detected and suppressed errors, rerun with: -v ==18624== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped)
SUSE-SU-2020:0860-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1040973,1110282,1142678,1142683,1153577,1161901 CVE References: CVE-2017-9239,CVE-2018-17581,CVE-2019-13110,CVE-2019-13113,CVE-2019-17402,CVE-2019-20421 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): exiv2-0.23-12.8.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): exiv2-0.23-12.8.1 SUSE Linux Enterprise Server 12-SP5 (src): exiv2-0.23-12.8.1 SUSE Linux Enterprise Server 12-SP4 (src): exiv2-0.23-12.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted for SLE15. Skipping SLE11 as it is low CVSS score.
SUSE-SU-2022:4208-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1050257,1095070,1110282,1119559,1119560,1119562,1142677,1142678,1153577,1186231,1189337 CVE References: CVE-2017-11591,CVE-2018-11531,CVE-2018-17581,CVE-2018-20097,CVE-2018-20098,CVE-2018-20099,CVE-2019-13109,CVE-2019-13110,CVE-2019-17402,CVE-2021-29473,CVE-2021-32815 JIRA References: Sources used: openSUSE Leap 15.4 (src): exiv2-0_26-0.26-150400.9.21.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): exiv2-0_26-0.26-150400.9.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4276-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1050257,1095070,1110282,1119559,1119560,1119562,1142677,1142678,1153577,1186231,1189337 CVE References: CVE-2017-11591,CVE-2018-11531,CVE-2018-17581,CVE-2018-20097,CVE-2018-20098,CVE-2018-20099,CVE-2019-13109,CVE-2019-13110,CVE-2019-17402,CVE-2021-29473,CVE-2021-32815 JIRA References: Sources used: openSUSE Leap 15.3 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Server 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Retail Branch Server 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Manager Proxy 4.1 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server for SAP 15 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Server 15-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): exiv2-0.26-150000.6.26.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): exiv2-0.26-150000.6.26.1 SUSE Enterprise Storage 7 (src): exiv2-0.26-150000.6.26.1 SUSE Enterprise Storage 6 (src): exiv2-0.26-150000.6.26.1 SUSE CaaS Platform 4.0 (src): exiv2-0.26-150000.6.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.