Your message dated Mon, 24 Aug 2015 15:43:25 +0200
with message-id <20150824134325.ga5...@jwilk.net>
and subject line Re: Bug#781123: libexiv2-13: buffer overflow in RIFF video
parser
has caused the Debian Bug report #781123,
regarding libexiv2-13: buffer overflow in RIFF video parser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
781123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libexiv2-13
Version: 0.24-4.1
Tags: security
Usertags: afl
Exiv2 crashes on the attached file:
$ exiv2 pr crash.riff
*** Error in `exiv2': double free or corruption (!prev): 0x09669910 ***
Aborted
Valgrind says it's a buffer overflow:
==5509== Invalid write of size 4
==5509== at 0x452BD6C: __GI_mempcpy (mempcpy.S:54)
==5509== by 0x451E307: _IO_file_xsgetn (fileops.c:1388)
==5509== by 0x45200B7: _IO_sgetn (genops.c:495)
==5509== by 0x4513998: fread (iofread.c:42)
==5509== by 0x40AF816: fread (stdio2.h:295)
==5509== by 0x40AF816: Exiv2::FileIo::read(unsigned char*, long)
(basicio.cpp:941)
==5509== by 0x415B513: Exiv2::RiffVideo::dateTimeOriginal(long, int)
(riffvideo.cpp:695)
==5509== by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&,
unsigned long) (riffvideo.cpp:611)
==5509== by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509== by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509== by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509== by 0x8061AFC: Action::Print::run(std::string const&)
(actions.cpp:236)
==5509== by 0x804C3D0: main (exiv2.cpp:171)
==5509== Address 0x46b6081 is 97 bytes inside a block of size 100 alloc'd
==5509== at 0x4029DFC: operator new[](unsigned int) (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==5509== by 0x415B4F9: DataBuf (types.hpp:199)
==5509== by 0x415B4F9: Exiv2::RiffVideo::dateTimeOriginal(long, int)
(riffvideo.cpp:694)
==5509== by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&,
unsigned long) (riffvideo.cpp:611)
==5509== by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509== by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509== by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509== by 0x8061AFC: Action::Print::run(std::string const&)
(actions.cpp:236)
==5509== by 0x804C3D0: main (exiv2.cpp:171)
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libexiv2-13:i386 depends on:
ii libc6 2.19-17
ii libexpat1 2.1.0-6+b3
ii libgcc1 1:5-20150321-1
ii libstdc++6 5-20150321-1
ii multiarch-support 2.19-17
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages libexiv2-13:i386 suggests:
ii exiv2 0.24-4.1
--
Jakub Wilk
crash.riff
Description: video/riff
--- End Message ---
--- Begin Message ---
Version: 0.25-1
* Jakub Wilk <jw...@debian.org>, 2015-08-10, 13:29:
I can't reproduce it with exiv2_0.25-2:
$ exiv2 pr crash.riff
Exiv2 exception in print action for file crash.riff:
crash.riff: The file contains data of an unknown image type
But that may be only because video support was (accidentally?)
disabled. From the build log:
checking whether to compile with video support... no
Upstream says that video support is disabled by default for security
reasons, so Debian probably shouldn't re-enable it.
Let's close the bug.
--
Jakub Wilk
--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
