Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878493 (CVE-2022-3717, CVE-2022-3718, CVE-2022-3719, CVE-2022-3755, CVE-2022-3756, CVE-2022-3757, CVE-2022-3953) - media-gfx/exiv2: multiple vulnerabilities
Summary: media-gfx/exiv2: multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2022-3717, CVE-2022-3718, CVE-2022-3719, CVE-2022-3755, CVE-2022-3756, CVE-2022-3757, CVE-2022-3953
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-28 02:25 UTC by John Helmert III
Modified: 2022-11-14 16:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-28 02:25:04 UTC
CVE-2022-3717:

A vulnerability, which was classified as critical, has been found in Exiv2. Affected by this issue is the function BmffImage::boxHandler of the file bmffimage.cpp. The manipulation leads to memory corruption. The attack may be launched remotely. The name of the patch is a58e52ed702d3bc7b8bab7ec1d70a4849eebece3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212348.

Patch: https://github.com/Exiv2/exiv2/commit/a58e52ed702d3bc7b8bab7ec1d70a4849eebece3

CVE-2022-3718 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52053):

A vulnerability, which was classified as problematic, was found in Exiv2. This affects the function QuickTimeVideo::decodeBlock of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to null pointer dereference. It is possible to initiate the attack remotely. The name of the patch is 459910c36a21369c09b75bcfa82f287c9da56abf. It is recommended to apply a patch to fix this issue. The identifier VDB-212349 was assigned to this vulnerability.

Patch: https://github.com/Exiv2/exiv2/commit/459910c36a21369c09b75bcfa82f287c9da56abf

CVE-2022-3719 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51707):

A vulnerability has been found in Exiv2 and classified as critical. This vulnerability affects the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The name of the patch is a38e124076138e529774d5ec9890d0731058115a. It is recommended to apply a patch to fix this issue. VDB-212350 is the identifier assigned to this vulnerability.

Patch: https://github.com/Exiv2/exiv2/commit/a38e124076138e529774d5ec9890d0731058115a
Comment 1 Andreas Sturmlechner gentoo-dev 2022-10-28 15:50:49 UTC
I'm afraid these patches won't apply easily against 0.27.5, the source has changed significantly and even greping for single context words in the patch for CVE-2022-3717 does not bring up anything remotely similar.
Comment 2 Tee KOBAYASHI 2022-10-28 17:05:41 UTC
CVE-2022-3717 does NOT seem to affect Exiv2 version 0.27.5; see https://bugzilla.suse.com/show_bug.cgi?id=1204818.

CVE-2022-3719 DOES seem to affect 0.27.5 though (I personally wrote a backporting patch). I have not investigated CVE-2022-3718 yet.
Comment 3 Tee KOBAYASHI 2022-10-28 17:26:54 UTC
CVE-2022-3718 and CVE-2022-3719 seem to be irrelevant to us either; src/quicktimevideo.cpp is compiled only when configured with -DEXIV2_ENABLE_VIDEO=ON, which we does not specify.
Comment 4 Andreas Sturmlechner gentoo-dev 2022-10-28 18:02:46 UTC
Thanks for looking into it!

Indeed, EXIV2_ENABLE_VIDEO is default off and not changed by our ebuild.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-30 01:24:44 UTC
CVE-2022-3755 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52382):
https://vuldb.com/?id.212495

A vulnerability was found in Exiv2 and classified as problematic. This issue affects the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to null pointer dereference. The attack may be initiated remotely. The name of the patch is 6bb956ad808590ce2321b9ddf6772974da27c4ca. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212495.

Patch: https://github.com/Exiv2/exiv2/commit/6bb956ad808590ce2321b9ddf6772974da27c4ca

CVE-2022-3756:
https://vuldb.com/?id.212496

A vulnerability was found in Exiv2. It has been classified as critical. Affected is the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The name of the patch is bf4f28b727bdedbd7c88179c30d360e54568a62e. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212496.

Patch: https://github.com/Exiv2/exiv2/commit/bf4f28b727bdedbd7c88179c30d360e54568a62e

CVE-2022-3757 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50901):
https://vuldb.com/?id.212497

A vulnerability was found in Exiv2. It has been declared as critical. Affected by this vulnerability is the function QuickTimeVideo::decodeBlock of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to buffer overflow. The attack can be launched remotely. The name of the patch is d3651fdbd352cbaf259f89abf7557da343339378. It is recommended to apply a patch to fix this issue. The identifier VDB-212497 was assigned to this vulnerability.

Patch: https://github.com/Exiv2/exiv2/commit/d3651fdbd352cbaf259f89abf7557da343339378
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 05:20:24 UTC
CVE-2022-3953 (https://github.com/Exiv2/exiv2/pull/2394):

A vulnerability was found in Exiv2. It has been classified as problematic. This affects the function QuickTimeVideo::multipleEntriesDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to infinite loop. It is possible to initiate the attack remotely. The name of the patch is 771ead87321ae6e39e5c9f6f0855c58cde6648f1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213459.

Patch: https://github.com/Exiv2/exiv2/commit/771ead87321ae6e39e5c9f6f0855c58cde6648f1
Comment 7 Andreas Sturmlechner gentoo-dev 2022-11-14 09:46:48 UTC
Again, none relevant to us.

(In reply to Andreas Sturmlechner from comment #4)
> Indeed, EXIV2_ENABLE_VIDEO is default off and not changed by our ebuild.
src/CMakeLists.txt has:
> if( EXIV2_ENABLE_VIDEO )
>     target_sources(exiv2lib PRIVATE
>         asfvideo.cpp            ../include/exiv2/asfvideo.hpp
>         matroskavideo.cpp       ../include/exiv2/matroskavideo.hpp
>         quicktimevideo.cpp      ../include/exiv2/quicktimevideo.hpp
>         riffvideo.cpp           ../include/exiv2/riffvideo.hpp
>         utilsvideo.cpp          ../include/exiv2/utilsvideo.hpp
>     )
> endif()