Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658236 (CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265) - <media-gfx/exiv2-0.26_p20180811-r1: Multiple vulnerabilities
Summary: <media-gfx/exiv2-0.26_p20180811-r1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-10780, CVE-2018-10998, CVE-2018-10999, CVE-2018-11531, CVE-2018-12264, CVE-2018-12265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.exiv2.org/
Whiteboard: B3 [glsa++ cve]
Keywords:
Depends on:
Blocks: CVE-2017-17724 CVE-2017-17723 CVE-2018-5772 CVE-2018-8976, CVE-2018-8977, CVE-2018-9145 CVE-2018-10958 CVE-2018-11037
  Show dependency tree
 
Reported: 2018-06-16 15:15 UTC by Vlad K.
Modified: 2018-11-24 21:47 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/exiv2-0.26_p20180811-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-06-16 15:15:22 UTC
Multiple vulnerabilities have been found in Exiv2, library and a command line
utility to read and write Exif, IPTC and XMP image metadata.

CVE-2018-10998
    An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows
    remote attackers to cause a denial of service (SIGABRT) by triggering an
    incorrect Safe::add call.

    Apparently denied as a security issue upstream, see
    https://github.com/Exiv2/exiv2/issues/303

CVE-2018-10999
    An issue was discovered in Exiv2 0.26. The
    Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer
    over-read.

    See https://github.com/Exiv2/exiv2/issues/306

CVE-2018-11531
    Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp.

    See https://github.com/Exiv2/exiv2/issues/283

CVE-2018-12264
    Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp,
    leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in
    value.hpp.

    See https://github.com/Exiv2/exiv2/issues/366

CVE-2018-12265
    Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in
    preview.cpp, leading to an out-of-bounds read in Exiv2::MemIo::read in
    basicio.cpp.

    See https://github.com/Exiv2/exiv2/issues/365



The following is linked to Red Hat's bugzilla by Mitre, where the issue is
marked NOTABUG, but I haven't been able to find any upstream reference, so it
might be bogus. Documenting here for completeness.

CVE-2018-10780
    Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer
    over-read.

    See https://bugzilla.redhat.com/show_bug.cgi?id=1575201

--

Gentoo Security Scout
Vladimir Krstulja
Comment 1 Larry the Git Cow gentoo-dev 2018-09-18 20:54:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f33aacc28aa4a62c2123dbbecfbdb911dd4ba470

commit f33aacc28aa4a62c2123dbbecfbdb911dd4ba470
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-18 20:45:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-18 20:53:50 +0000

    media-gfx/exiv2: Add 0.26_p20180811 snapshot
    
    Custom packed tarball based on upstream 0.26 branch as of 2018-08-11,
    fixing CVE-2018-12264, CVE-2018-12265,
    with downstream updated config.{guess,sub} and fixed CVE-2017-17723.
    
    Bug: https://bugs.gentoo.org/647812
    Bug: https://bugs.gentoo.org/658236
    Closes: https://bugs.gentoo.org/663870
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-gfx/exiv2/Manifest                    |   1 +
 media-gfx/exiv2/exiv2-0.26_p20180811.ebuild | 123 ++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2018-09-21 07:48:05 UTC
CVE-2018-10998 was closed notabug in https://github.com/Exiv2/exiv2/commit/f4e8ed2fd48d012467b99552f0d6378302a23c75, the commit adding the exception is in media-gfx/exiv2-0.26_p20180811.
Comment 3 Andreas Sturmlechner gentoo-dev 2018-09-21 08:13:23 UTC
CVE-2018-10780 was declared fixed in https://github.com/Exiv2/exiv2/issues/229, the relevant commit is part of media-gfx/exiv2-0.26_p20180811.
Comment 4 Larry the Git Cow gentoo-dev 2018-09-21 10:20:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6355d89b9bd7b657c3ad5680f899b6de75de1a7

commit b6355d89b9bd7b657c3ad5680f899b6de75de1a7
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-21 10:12:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-21 10:20:37 +0000

    media-gfx/exiv2: Tarball respun for CVE-2018-10999, CVE-2018-11531
    
    Custom packed tarball based on upstream 0.26 branch as of 2018-08-11,
    with additional fixes from git master.
    
    Bug: https://bugs.gentoo.org/658236
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-gfx/exiv2/Manifest                       |   1 +
 media-gfx/exiv2/exiv2-0.26_p20180811-r1.ebuild | 123 +++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
Comment 5 Rolf Eike Beer archtester 2018-09-22 07:01:43 UTC
sparc done.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-22 11:47:11 UTC
ia64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-09-23 15:32:22 UTC
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-24 01:51:26 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-02 14:03:14 UTC
Stable on alpha.
Comment 10 Matt Turner gentoo-dev 2018-10-06 16:16:30 UTC
ppc/ppc64 stable
Comment 11 Markus Meier gentoo-dev 2018-10-29 05:38:40 UTC
arm stable, all arches done.
Comment 12 Larry the Git Cow gentoo-dev 2018-10-29 10:14:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c24aae658082194548daf5a845dc996fab7f9f0

commit 8c24aae658082194548daf5a845dc996fab7f9f0
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-29 10:06:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-29 10:14:24 +0000

    media-gfx/exiv2: Security cleanup
    
    Bug: https://bugs.gentoo.org/658236
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 media-gfx/exiv2/Manifest                           |   1 -
 media-gfx/exiv2/exiv2-0.26_p20180319.ebuild        | 136 ------
 .../exiv2-0.26_p20180319-CVE-2017-18005.patch      | 484 ---------------------
 .../files/exiv2-0.26_p20180319-CVE-2018-4868.patch |  39 --
 .../files/exiv2-0.26_p20180319-clang-fix.patch     |  47 --
 5 files changed, 707 deletions(-)
Comment 13 Andreas Sturmlechner gentoo-dev 2018-10-29 18:25:06 UTC
Cleanup done, can we please make progress here (and in all depending bugs)?
Comment 14 Andreas Sturmlechner gentoo-dev 2018-11-11 00:24:03 UTC
KDE is done here, anyway...
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2018-11-13 06:43:35 UTC
Reclassifying B3 (should of been)

GLSA Vote: Yes
New GLSA Request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 21:46:18 UTC
This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 21:47:21 UTC
This issue was resolved and addressed in
 GLSA 201811-14 at https://security.gentoo.org/glsa/201811-14
by GLSA coordinator Aaron Bauman (b-man).