Bug#773846: marked as done (exiv2: CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler)

[Debian Bug Tracking System]

Your message dated Fri, 09 Jan 2015 21:20:33 +0000
with message-id <e1y9gyv-0005w1...@franck.debian.org>
and subject line Bug#773846: fixed in exiv2 0.24-4.1
has caused the Debian Bug report #773846,
regarding exiv2: CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
773846: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773846
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: exiv2
Version: 0.24-4.1
Severity: grave
Tags: security patch

There is a buffer overflow condition with some AVI files. I am not fully
sure but maybe it could be used for a code execution.

However, the bug is fixed upstream. See also report [0].

I extracted and tested the patch from upstream and added it to this
report.

This bug affects also many other packages that uses libexiv2. Namely
geeqie and digikam.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (800, 'unstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17.5 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to 
de_DE)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages exiv2 depends on:
ii  libc6        2.19-13
ii  libexiv2-13  0.24-4.1
ii  libgcc1      1:4.9.2-9
ii  libstdc++6   4.9.2-9

exiv2 recommends no packages.

exiv2 suggests no packages.

-- no debconf information

[0] http://dev.exiv2.org/issues/1002
-- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <kl...@ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

>From ed36a4692058f745a06d87bdaf107bc43c7d2359 Mon Sep 17 00:00:00 2001
From: badola <badola@b7c8b350-86e7-0310-a4b4-de8f6a8f16a3>
Date: Thu, 19 Jun 2014 20:28:44 +0000
Subject: [PATCH] #960: Added a Buffer Overflow Fix in INFO tags of
 RIFFVIDEO.CPP

git-svn-id: svn://dev.exiv2.org/svn/trunk@3264 b7c8b350-86e7-0310-a4b4-de8f6a8f16a3
---
 src/riffvideo.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/riffvideo.cpp b/src/riffvideo.cpp
index 4545bc3..0dcd291 100644
--- a/src/riffvideo.cpp
+++ b/src/riffvideo.cpp
@@ -856,7 +856,7 @@ namespace Exiv2 {
 
     void RiffVideo::infoTagsHandler()
     {
-        const long bufMinSize = 100;
+        const long bufMinSize = 10000;
         DataBuf buf(bufMinSize);
         buf.pData_[4] = '\0';
         io_->seek(-12, BasicIo::cur);
@@ -879,10 +879,14 @@ namespace Exiv2 {
             if(infoSize >= 0) {
                 size -= infoSize;
                 io_->read(buf.pData_, infoSize);
+                if(infoSize < 4)
+                    buf.pData_[infoSize] = '\0';
             }
 
             if(tv)
                 xmpData_[exvGettext(tv->label_)] = buf.pData_;
+            else
+                continue;
         }
         io_->seek(cur_pos + size_external, BasicIo::beg);
     } // RiffVideo::infoTagsHandler
-- 
2.1.4

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: exiv2
Source-Version: 0.24-4.1

We believe that the bug you reported is fixed in the latest version of
exiv2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated exiv2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jan 2015 20:25:48 +0100
Source: exiv2
Binary: exiv2 libexiv2-13 libexiv2-dev libexiv2-doc libexiv2-dbg
Architecture: source amd64 all
Version: 0.24-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-ext...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
 exiv2      - EXIF/IPTC metadata manipulation tool
 libexiv2-13 - EXIF/IPTC metadata manipulation library
 libexiv2-dbg - EXIF/IPTC metadata manipulation library - debug
 libexiv2-dev - EXIF/IPTC metadata manipulation library - development files
 libexiv2-doc - EXIF/IPTC metadata manipulation library - HTML documentation
Closes: 773846
Changes:
 exiv2 (0.24-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add CVE-2014-9449.patch patch.
     CVE-2014-9449: buffer overflow in RiffVideo::infoTagsHandler
     Thanks to Klaus Ethgen <kl...@ethgen.de> (Closes: #773846)
Checksums-Sha1:
 bd8d27882805e5ccaf4cbfba6c1a89356cd60388 2253 exiv2_0.24-4.1.dsc
 77091a1bb6c8f306d3826e6edf58541fb1f17161 10176 exiv2_0.24-4.1.debian.tar.xz
 1eed716080c6b6e992d6ec1b5a6c7195b167e8bf 19295406 libexiv2-doc_0.24-4.1_all.deb
Checksums-Sha256:
 7fd25a1325cba6dffc7da4a395fd76e2ee49918550c3f57e2d5cfa1dac3811d3 2253 
exiv2_0.24-4.1.dsc
 5171c12d884d63684b700d7d5ab5bb209829435a8a0f0a9343209dcfe1b12e5b 10176 
exiv2_0.24-4.1.debian.tar.xz
 fce17aa5fdc8ceb82b09a2ecfcc6d4eef1cb519beffddf0a554dca4d5de4ab0a 19295406 
libexiv2-doc_0.24-4.1_all.deb
Files:
 a3a63d6506d0dcc4e31e4a273925e98e 2253 graphics optional exiv2_0.24-4.1.dsc
 7536a1f545a0233225eba3d826a71758 10176 graphics optional 
exiv2_0.24-4.1.debian.tar.xz
 fbbe0cae5b81b305d486df9da49e30a8 19295406 doc optional 
libexiv2-doc_0.24-4.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUrYxnAAoJEAVMuPMTQ89EZkEP/R3jsLkPwribPNZHgKZ2HJ2Q
U6FaqG4U9dIw/QQhlwY3lYczI7tLD2AoaSsqu0zD1wZqVTGPp+eg2nJzl7hqGKgZ
ixAuwum0mM5t1m15mW5gHUr1yCPU43erIlXTtN9sPLh/GIywln4acB0gPCWWX61f
v+cxPX3LRDOTFMUOhNzmcsKabcknrUQcCREkviFj69Ya4y7Yrou1nc9rWRfE+QQs
dAHN8VodX3F3P3MIIA+pNTwYuNE9JJDzzxsyiR5xWaOnhgxAXfpHM/+4qdSqAJel
HffdQTT4KJLnr1y4au7f3z1UCRjYJutrYCuo8JkvzE54qIoph8wrkBFmuNbPilQD
MozJV+4gpnsXjitZnCp+D3CDa1xVOzQkn8m2UHF4eJKfmxGGGqJyRZz4fMhoSMch
5pBAXHWDdTJ/oiMhFAmGMgsiIZ17kVGeFsX4xvQf3d2uTYJkLjbqEdOKKuEy063g
Q12gHpmZM3LHMOlWRl2yZd3GVgg1vBRpzbS9F3MumBgzbKPqcyi2ihW1jRungokD
m9okGPoin25f99bgfSqinhhaOGNtkG3Ms7Wd9IYkv8R6zgs/sXlkb1nanftTFWtd
oinzDx4BzMku86HWF6qCuCXYPYh4iimEYccppia4oulS3yRufUlVlSJff4UwGUcr
JMtFEj9m/t822SroYijh
=wOka
-----END PGP SIGNATURE-----

--- End Message ---