Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544484 - media-gfx/exiv2: buffer overflow
Summary: media-gfx/exiv2: buffer overflow
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.debian.org/cgi-bin/bugre...
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-25 16:50 UTC by Agostino Sarubbo
Modified: 2017-11-19 16:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-25 16:50:07 UTC
From ${URL} :

Exiv2 crashes on the attached file:

$ exiv2 pr crash.riff
*** Error in `exiv2': double free or corruption (!prev): 0x09669910 ***
Aborted


Valgrind says it's a buffer overflow:

==5509== Invalid write of size 4
==5509==    at 0x452BD6C: __GI_mempcpy (mempcpy.S:54)
==5509==    by 0x451E307: _IO_file_xsgetn (fileops.c:1388)
==5509==    by 0x45200B7: _IO_sgetn (genops.c:495)
==5509==    by 0x4513998: fread (iofread.c:42)
==5509==    by 0x40AF816: fread (stdio2.h:295)
==5509==    by 0x40AF816: Exiv2::FileIo::read(unsigned char*, long) (basicio.cpp:941)
==5509==    by 0x415B513: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:695)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)
==5509==  Address 0x46b6081 is 97 bytes inside a block of size 100 alloc'd
==5509==    at 0x4029DFC: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==5509==    by 0x415B4F9: DataBuf (types.hpp:199)
==5509==    by 0x415B4F9: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:694)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2015-03-27 14:38:46 UTC
Is upstream even aware of this?
Comment 2 Agostino Sarubbo gentoo-dev 2015-03-27 16:02:53 UTC
(In reply to Michael Palimaka (kensington) from comment #1)
> Is upstream even aware of this?

As per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781123#11 , the answer is no
Comment 3 Michael Palimaka (kensington) gentoo-dev 2015-03-27 16:03:51 UTC
I don't know what we're supposed to do about it then.
Comment 4 Hanno Böck gentoo-dev 2016-01-19 22:30:47 UTC
I think this is invalid.

The latest comments in the debian bug say that this affects only video support, this is disabled by default and upstream recommends disabling it because they know their video code is insecure.

The Gentoo ebuild doesn't enable video either and there is no USE flag for it, so I think everything's fine here. (also I tried and can't reproduce the bug)
Comment 5 Johannes Huber (RETIRED) gentoo-dev 2016-03-11 10:59:40 UTC
(In reply to Hanno Boeck from comment #4)
> I think this is invalid.
> 
> The latest comments in the debian bug say that this affects only video
> support, this is disabled by default and upstream recommends disabling it
> because they know their video code is insecure.
> 
> The Gentoo ebuild doesn't enable video either and there is no USE flag for
> it, so I think everything's fine here. (also I tried and can't reproduce the
> bug)

Removing kde from cc. Please add back when there is something to do.
Comment 6 Michael Boyle 2017-06-16 03:21:03 UTC
As this become stable? 

Mike Boyle
Gentoo Security Padawan
Comment 7 Andreas Sturmlechner gentoo-dev 2017-10-12 16:04:53 UTC
(In reply to Michael Boyle from comment #6)
> As this become stable? 

EXIV2_ENABLE_VIDEO is off by default and not enabled by our ebuilds either.
Comment 8 D'juan McDonald (domhnall) 2017-11-05 14:58:15 UTC
@maintainer(s), Per comment4 and comment7, is it okay to close on this bug?


Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 9 Andreas Sturmlechner gentoo-dev 2017-11-19 15:31:35 UTC
That's what my comment was implying, yes.