这是indexloc提供的服务,不要输入任何密码

Debian Bug report logs - #781123
libexiv2-13: buffer overflow in RIFF video parser

version graph

Package: libexiv2-13; Maintainer for libexiv2-13 is (unknown);

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Tue, 24 Mar 2015 20:48:01 UTC

Severity: normal

Tags: security

Found in version exiv2/0.24-4.1

Fixed in version 0.25-1

Done: Jakub Wilk <jwilk@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://dev.exiv2.org/issues/1104

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#781123; Package libexiv2-13. (Tue, 24 Mar 2015 20:48:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libexiv2-13: buffer overflow in RIFF video parser
Date: Tue, 24 Mar 2015 21:45:04 +0100
[Message part 1 (text/plain, inline)]
Package: libexiv2-13
Version: 0.24-4.1
Tags: security
Usertags: afl

Exiv2 crashes on the attached file:

$ exiv2 pr crash.riff
*** Error in `exiv2': double free or corruption (!prev): 0x09669910 ***
Aborted


Valgrind says it's a buffer overflow:

==5509== Invalid write of size 4
==5509==    at 0x452BD6C: __GI_mempcpy (mempcpy.S:54)
==5509==    by 0x451E307: _IO_file_xsgetn (fileops.c:1388)
==5509==    by 0x45200B7: _IO_sgetn (genops.c:495)
==5509==    by 0x4513998: fread (iofread.c:42)
==5509==    by 0x40AF816: fread (stdio2.h:295)
==5509==    by 0x40AF816: Exiv2::FileIo::read(unsigned char*, long) (basicio.cpp:941)
==5509==    by 0x415B513: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:695)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)
==5509==  Address 0x46b6081 is 97 bytes inside a block of size 100 alloc'd
==5509==    at 0x4029DFC: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==5509==    by 0x415B4F9: DataBuf (types.hpp:199)
==5509==    by 0x415B4F9: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:694)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libexiv2-13:i386 depends on:
ii  libc6              2.19-17
ii  libexpat1          2.1.0-6+b3
ii  libgcc1            1:5-20150321-1
ii  libstdc++6         5-20150321-1
ii  multiarch-support  2.19-17
ii  zlib1g             1:1.2.8.dfsg-2+b1

Versions of packages libexiv2-13:i386 suggests:
ii  exiv2  0.24-4.1

-- 
Jakub Wilk

[crash.riff (video/riff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#781123; Package libexiv2-13. (Wed, 25 Mar 2015 14:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Wed, 25 Mar 2015 14:18:04 GMT) (full text, mbox, link).

Message #8 received at 781123@bugs.debian.org (full text, mbox, reply):

From: Vasyl Kaigorodov <vkaigoro@redhat.com>
To: 781123@bugs.debian.org
Subject: Looks similar to upstream bug #960
Date: Wed, 25 Mar 2015 15:14:35 +0100
[Message part 1 (text/plain, inline)]
Just my 2c here - quicly looking at Valgrind backtrace, and the code -
looks like the issue is that with attached crafted .riff file RiffVideo::tagDecoder() gets "unsigned long" as
its' 2nd argument, which is then passed further to RiffVideo::dateTimeOriginal() as "long".
I'm not a CPP guru, but other functions there might suffer from the same issue:

junkHandler
aviHeaderTagsHandler
streamHandler
streamDataTagHandler

Jakub, did you report this upsream already?

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#781123; Package libexiv2-13. (Fri, 27 Mar 2015 13:45:05 GMT) (full text, mbox, link).

Message #11 received at 781123@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Vasyl Kaigorodov <vkaigoro@redhat.com>, 781123@bugs.debian.org
Subject: Re: Bug#781123: Looks similar to upstream bug #960
Date: Fri, 27 Mar 2015 14:43:08 +0100
Hi Vasyl!

* Vasyl Kaigorodov <vkaigoro@redhat.com>, 2015-03-25, 15:14:
>Jakub, did you report this upsream already?

No, I didn't, sorry.

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#781123; Package libexiv2-13. (Mon, 10 Aug 2015 11:33:06 GMT) (full text, mbox, link).

Message #14 received at 781123@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 781123@bugs.debian.org
Subject: Re: Bug#781123: libexiv2-13: buffer overflow in RIFF video parser
Date: Mon, 10 Aug 2015 13:29:50 +0200
* Jakub Wilk <jwilk@debian.org>, 2015-03-24, 21:45:
>Exiv2 crashes on the attached file:
>
>$ exiv2 pr crash.riff
>*** Error in `exiv2': double free or corruption (!prev): 0x09669910 ***
>Aborted

I can't reproduce it with exiv2_0.25-2:

$ exiv2 pr crash.riff
Exiv2 exception in print action for file crash.riff:
crash.riff: The file contains data of an unknown image type

But that may be only because video support was (accidentally?) disabled. 
From the build log:

checking whether to compile with video support... no

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#781123; Package libexiv2-13. (Mon, 10 Aug 2015 12:48:03 GMT) (full text, mbox, link).

Message #17 received at 781123@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 781123@bugs.debian.org
Cc: Vasyl Kaigorodov <vkaigoro@redhat.com>
Subject: Re: Bug#781123: Looks similar to upstream bug #960
Date: Mon, 10 Aug 2015 14:46:34 +0200
Control: forwarded -1 https://dev.exiv2.org/issues/1104

* Vasyl Kaigorodov <vkaigoro@redhat.com>, 2015-03-25, 15:14:
>Jakub, did you report this upsream already?

Now I did. :)

-- 
Jakub Wilk

Set Bug forwarded-to-address to 'https://dev.exiv2.org/issues/1104'. Request was from Jakub Wilk <jwilk@debian.org> to 781123-submit@bugs.debian.org. (Mon, 10 Aug 2015 12:48:04 GMT) (full text, mbox, link).

Reply sent to Jakub Wilk <jwilk@debian.org>:
You have taken responsibility. (Mon, 24 Aug 2015 13:45:23 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 24 Aug 2015 13:45:23 GMT) (full text, mbox, link).

Message #24 received at 781123-done@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 781123-done@bugs.debian.org
Subject: Re: Bug#781123: libexiv2-13: buffer overflow in RIFF video parser
Date: Mon, 24 Aug 2015 15:43:25 +0200
Version: 0.25-1

* Jakub Wilk <jwilk@debian.org>, 2015-08-10, 13:29:
>I can't reproduce it with exiv2_0.25-2:
>
>$ exiv2 pr crash.riff
>Exiv2 exception in print action for file crash.riff:
>crash.riff: The file contains data of an unknown image type
>
>But that may be only because video support was (accidentally?) 
>disabled. From the build log:
>
>checking whether to compile with video support... no

Upstream says that video support is disabled by default for security 
reasons, so Debian probably shouldn't re-enable it.

Let's close the bug.

-- 
Jakub Wilk

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 22 Sep 2015 07:27:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 26 07:17:15 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.