658236 – (CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265) <media-gfx/exiv2-0.26_p20180811-r1: Multiple vulnerabilities

Bug 658236 (CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265) - <media-gfx/exiv2-0.26_p20180811-r1: Multiple vulnerabilities

Summary: <media-gfx/exiv2-0.26_p20180811-r1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://www.exiv2.org/
Whiteboard:	B3 [glsa++ cve]
Keywords:

Depends on:
Blocks:	CVE-2017-17724 CVE-2017-17723 CVE-2018-5772 CVE-2018-8976, CVE-2018-8977, CVE-2018-9145 CVE-2018-10958 CVE-2018-11037
	Show dependency tree

Reported:	2018-06-16 15:15 UTC by Vlad K.
Modified:	2018-11-24 21:47 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2018-11037 CVE-2018-10958 CVE-2018-8976, CVE-2018-8977, CVE-2018-9145 CVE-2018-5772 CVE-2017-17723 CVE-2017-17724
Package list:	media-gfx/exiv2-0.26_p20180811-r3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vlad K. 2018-06-16 15:15:22 UTC

Multiple vulnerabilities have been found in Exiv2, library and a command line
utility to read and write Exif, IPTC and XMP image metadata.

CVE-2018-10998
    An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows
    remote attackers to cause a denial of service (SIGABRT) by triggering an
    incorrect Safe::add call.

    Apparently denied as a security issue upstream, see
    https://github.com/Exiv2/exiv2/issues/303

CVE-2018-10999
    An issue was discovered in Exiv2 0.26. The
    Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer
    over-read.

    See https://github.com/Exiv2/exiv2/issues/306

CVE-2018-11531
    Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp.

    See https://github.com/Exiv2/exiv2/issues/283

CVE-2018-12264
    Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp,
    leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in
    value.hpp.

    See https://github.com/Exiv2/exiv2/issues/366

CVE-2018-12265
    Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in
    preview.cpp, leading to an out-of-bounds read in Exiv2::MemIo::read in
    basicio.cpp.

    See https://github.com/Exiv2/exiv2/issues/365



The following is linked to Red Hat's bugzilla by Mitre, where the issue is
marked NOTABUG, but I haven't been able to find any upstream reference, so it
might be bogus. Documenting here for completeness.

CVE-2018-10780
    Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer
    over-read.

    See https://bugzilla.redhat.com/show_bug.cgi?id=1575201

--

Gentoo Security Scout
Vladimir Krstulja

Comment 1 Larry the Git Cow gentoo-dev

2018-09-18 20:54:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f33aacc28aa4a62c2123dbbecfbdb911dd4ba470

commit f33aacc28aa4a62c2123dbbecfbdb911dd4ba470
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-18 20:45:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-18 20:53:50 +0000

    media-gfx/exiv2: Add 0.26_p20180811 snapshot
    
    Custom packed tarball based on upstream 0.26 branch as of 2018-08-11,
    fixing CVE-2018-12264, CVE-2018-12265,
    with downstream updated config.{guess,sub} and fixed CVE-2017-17723.
    
    Bug: https://bugs.gentoo.org/647812
    Bug: https://bugs.gentoo.org/658236
    Closes: https://bugs.gentoo.org/663870
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-gfx/exiv2/Manifest                    |   1 +
 media-gfx/exiv2/exiv2-0.26_p20180811.ebuild | 123 ++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)

Comment 2 Andreas Sturmlechner gentoo-dev

2018-09-21 07:48:05 UTC

CVE-2018-10998 was closed notabug in https://github.com/Exiv2/exiv2/commit/f4e8ed2fd48d012467b99552f0d6378302a23c75, the commit adding the exception is in media-gfx/exiv2-0.26_p20180811.

Comment 3 Andreas Sturmlechner gentoo-dev

2018-09-21 08:13:23 UTC

CVE-2018-10780 was declared fixed in https://github.com/Exiv2/exiv2/issues/229, the relevant commit is part of media-gfx/exiv2-0.26_p20180811.

Comment 4 Larry the Git Cow gentoo-dev

2018-09-21 10:20:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6355d89b9bd7b657c3ad5680f899b6de75de1a7

commit b6355d89b9bd7b657c3ad5680f899b6de75de1a7
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-21 10:12:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-21 10:20:37 +0000

    media-gfx/exiv2: Tarball respun for CVE-2018-10999, CVE-2018-11531
    
    Custom packed tarball based on upstream 0.26 branch as of 2018-08-11,
    with additional fixes from git master.
    
    Bug: https://bugs.gentoo.org/658236
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-gfx/exiv2/Manifest                       |   1 +
 media-gfx/exiv2/exiv2-0.26_p20180811-r1.ebuild | 123 +++++++++++++++++++++++++
 2 files changed, 124 insertions(+)

Comment 5 Rolf Eike Beer archtester

2018-09-22 07:01:43 UTC

sparc done.

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-22 11:47:11 UTC

ia64 stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2018-09-23 15:32:22 UTC

amd64 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-24 01:51:26 UTC

x86 stable

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2018-10-02 14:03:14 UTC

Stable on alpha.

Comment 10 Matt Turner gentoo-dev

2018-10-06 16:16:30 UTC

ppc/ppc64 stable

Comment 11 Markus Meier gentoo-dev

2018-10-29 05:38:40 UTC

arm stable, all arches done.

Comment 12 Larry the Git Cow gentoo-dev

2018-10-29 10:14:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c24aae658082194548daf5a845dc996fab7f9f0

commit 8c24aae658082194548daf5a845dc996fab7f9f0
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-29 10:06:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-29 10:14:24 +0000

    media-gfx/exiv2: Security cleanup
    
    Bug: https://bugs.gentoo.org/658236
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 media-gfx/exiv2/Manifest                           |   1 -
 media-gfx/exiv2/exiv2-0.26_p20180319.ebuild        | 136 ------
 .../exiv2-0.26_p20180319-CVE-2017-18005.patch      | 484 ---------------------
 .../files/exiv2-0.26_p20180319-CVE-2018-4868.patch |  39 --
 .../files/exiv2-0.26_p20180319-clang-fix.patch     |  47 --
 5 files changed, 707 deletions(-)

Comment 13 Andreas Sturmlechner gentoo-dev

2018-10-29 18:25:06 UTC

Cleanup done, can we please make progress here (and in all depending bugs)?

Comment 14 Andreas Sturmlechner gentoo-dev

2018-11-11 00:24:03 UTC

KDE is done here, anyway...

Comment 15 Yury German Gentoo Infrastructure

2018-11-13 06:43:35 UTC

Reclassifying B3 (should of been)

GLSA Vote: Yes
New GLSA Request filed.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2018-11-24 21:46:18 UTC

This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2018-11-24 21:47:21 UTC

This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).