-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow Read in Exiv2::Internal::CrwMap::encode #1530
Comments
What is your plan here? This is the third similar CVE in three days. Exiv2 v0.27.4 is scheduled to ship on 2021-05-22. Are you planning to continuously bombard us with CVEs for weeks and months? Is it possible to have a Zoom meeting to discuss your intention and how we can cooperate? |
@clanmills Thanks for your hard work to make exiv2 better. I indeed have several other exiv2 security bugs, but I don't submit all the bugs at the same time, I can't agree with the strong word bombard. Security testing for exiv2 also takes a lot time, if your guys don't like to see these kind of bugs, feel free to them, I will never submit them again. I don't know is there a deadline for exiv2 release schedule, sorry for the inconvience. |
Thank You @henices for the courtesy of your reply. And thank you for opening issues on GitHub about these matters. That's very helpful. The sooner Team Exiv2 knows about these matters, the sooner they can be fixed. Team Exiv2 agrees that knowing about those issues and fixing them is better that having in the code and unknown to us. The Exiv2 development plan is to create a new branch called 'main' and to release Exiv2 v1.00 from that branch on 2021-12-15. We would like to ask you to focus your attention on 'main'. We will fix the issues you have opened on 0.27-maintenance and ship that as v0.27.4 on/before 2021-05-22. If we ever make another release from the 0.27-maintenance branch, we will back-port security fixes from 'main'. I appreciate the effort that you and your co-workers are putting into the important matter of security. I apologise for saying 'bombardment'. My hope this week was to finish my 13 years of working on Exiv2. I was distressed to see those CVEs arrive on day on which I intended to retire! |
I am unable to reproduce this. I tested it on Ubuntu 20.04, using the latest version of 0-27-maintenance (commit 05ec05342e17dc94670db1818447c06d0da8f41a). These are the exact steps that I tried:
I do not see any ASAN failures. |
Oh, I see. I missed the |
@kevinbackhouse I also missed that on #1529 (comment) I reproduced #1529 as follows: .../foo $ ls -l
total 88
-rw-r--r--@ 1 rmills staff 40609 8 Apr 08:01 tests_83a94b3337206caa6803f625eb63db061395cf14
-rw-r--r--@ 1 rmills staff 9 8 Apr 08:09 tests_83a94b3337206caa6803f625eb63db061395cf14.exv
.../foo $ exiv2 in tests_83a94b3337206caa6803f625eb63db061395cf14
=================================================================
==52084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b7 at pc 0x00010525f7f4 bp 0x7ffeeab2ed10 sp 0x7ffeeab2ed08
WRITE of size 8 at 0x6020000001b7 thread T0
#0 0x10525f7f3 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&)+0x2143 (libexiv2.0.27.4.2.dylib:x86_64+0xf27f3) I believe similar medicine is needed for this issue. The 'in' command is 'insert'. It reads metadata from tests_xxxxx.exv and updates tests_xxxxx. |
@clanmills: when I have fuzzed exiv2 in the past, I did not try any of these extra command line options. So my testing probably didn't hit any of these "encode" methods. So it seems quite plausible that there are several more of these bugs lurking there. From a security perspective, these command line arguments seem much less interesting to me than vanilla exiv2. I can imagine somebody downloading a untrusted image off the internet and using exiv2 to look at it's metadata. I have a much harder time imagining somebody downloading a pair of untrusted files like this and running |
I would still suggest to change the type of 'size' from uint32_t to size_t. |
As always, Kevin, you are saying smart things. I also missed the unusual/obscure 'in' command. You will be aware that I was in a state of distress yesterday about those CVEs. However, I've had a nice conversation with @henices. The security folks in China are on our side. Their work will make Exiv2 stronger. My brain isn't up to thinking about the merits of size_t and uint32_t. I believe the CRW format is 32 bit, so either will work. I would change the one that minimises casts. |
@pydera: I think |
@kevinbackhouse as far as I can see DataBuf.size() returns 'long' (int64_t on LP64). I did not look deeper into this, but was afraid that it might be possible to handcraft files where a size of >uint32_t-max could be returned and then overflow the uint32_t size. |
@pydera: Yes, I agree that |
@kevinbackhouse Agreed. My point of view was "just looking at THIS function" without deeper research on CiffComponent, I saw that DataBuf::size() could potentially overflow 'size'. Not looking at CiffComponent I concluded that changing 'size' to size_t would always be a safe choice while uint32_t needs further investigation. |
there is another way to exploit these bugs, a single image file is enough. |
(cherry picked from commit c92ac88) # Conflicts: # tests/bugfixes/github/test_issue_1530.py
…27.4 Alejandro Criado-Pérez (1): Added ES translations Alex Esseling (2): add_cr3_tags fixing exceptions and reordering tags Christoph Hasse (10): Implement handling of new Nikon LensData version 8.0 and 8.01 try and fix ci-build try and fix ci-build 2/N try and fix ci-build 3/N add shutter mode and mechanical shutter count to nikon makernote 3 include test of shutter mode and mech shutter count in lensdata 8 test use EXV_PRINT_TAG macro instead of specific print function fix formatting introduce parseTiff method to parse exif run clang-format on new files Freddie Witherden (2): Add support for Sony lens aberration correction parameters. Add support for Fuji's CropMode tag. Ingo Weyrich (1): Use a.rfind(b, 0) == 0 instead of a.find(b) == 0 to reduce processing time when checking that a starts wit b, #1459 Jan Tojnar (2): cmake: Fix paths with absolute GNUInstallDirs cmake: Fix include_directories for exiv2lib target Kevin Backhouse (26): Fix incorrect delete. Regression test for Exiv2/exiv2#1530 Fix integer overflow. Fix test name Use $kerCorruptedMetadata, rather than hard-coded string. Regression test for GHSA-5p8g-9xf3-gfrr Improve bound checking in WebPImage::doWriteMetadata() Regression test for GHSA-jgm9-5fw5-pw9p Better bounds checking in Jp2Image::encodeJp2Header() Fix signed/unsigned compiler warnings. Regression test for GHSA-8949-hhfh-j7rj Add more bounds checks in Jp2Image::encodeJp2Header Regression test for GHSA-7569-phvm-vwc2 Add bounds check in Jp2Image::doWriteMetadata(). Fix infinite loop caused by subBox with zero size. Prevent large allocation. Initialize field. Use readOrThrow to check error conditions of iIo.read(). Fix quadratic complexity performance bug. Regression test for Exiv2/exiv2#1570. Fix out-of-bounds read in bmffimage.cpp Stop the test from failing when EXIV2_ENABLE_BMFF=Off. Fix signed/unsigned compiler warning. Fix signed/unsigned compiler warning. Fix LGTM warning about format specifier Check that the string is properly terminated. Lemures Lemniscati (1): samples/xmpprint.cpp: Fix typos LeoHsiao (76): Converted two bash test scripts into Python scripts as an example Correct ioTest's execution directory Rename unit_test and import it in system_tests.py Update the documentation for the test cases Let bash_test read the configuration parameters from suite.conf Rename bash_test to bash_tests Wrap shell commands in single quotes Rename tests/README.md Rename the variable `output` to `out` Add default parameter value to the function 'runTest' Define a class 'Log' to merge logs into Python exception message Rewrite testcase 'addmoddel' Add methods setUp() and tearDown() Add some functions to replace shell commands: cp, rm, cat, grep, save, diff Rewrite testcase 'conversions' Rewrite testcase 'crw-test' Clear the log buffer after test Rewrite testcase 'exifdata-test' Add functions: mv, md5sum Rewrite testcase 'icc-test' Optimize class 'Log' and add class 'Conf' Add excute() to replace runTest() Optimize cat(), save() and excute() to handle bytes type content Rename bash_tests.utils as BT Optimize Conf.init() in bash_tests.utils Completed test_io() Remove copyTestFiles() Add class 'Output' to simulate the stdout buffer Refactor exiv2-test.sh to test_exiv2() Rewrite diff() to simulate the output of GNU diff Refactor imagetest.sh to test_image() Rename class 'Conf' to 'Config' Rename test cases from 'test*()' format to '*test()' format Mainly optimize utils.py: Add functions: diff_byte(), diffCheck() Refactor iptctest.sh to iptc_test() Modify printTest(): Ignore the difference of data_dir Add environment variables: EXIV2_HTTP, EXIV2_PORT Adjust line breaks, binary extension on Windows Adjust the format of the command on Windows Ignore printTest() output differences on Windows Ignore conversions_test() output differences on Windows Ignore .vscode Deprecated Config.exiv2_ext Refactor modify-test.sh to iso65k_test() Refactor path-test.sh to path_test() Adjust code spacing Refactor function execute() to class Executer Refactor modify-test.sh to modify_test() Add find() Refactor preview-test.sh to preview_test() Refactor stdin-test.sh to stdin_test() Refactor stringto-test.sh to stringto_test() Refactor tiff-test.sh to tiff_test() Add description for the module lxml Refactor version_test.sh to version_test() Refactor webp-test.sh to webp_test() Optimize diff() Refactor write-test.sh to write_test() Refactor write2-test.sh to write2_test() Refactor xmpparser-test.sh to xmpparser_test() Ignore the difference in the path separator for stdin_test Fix webp_test: correct a test file name Enhance function find(), cp(), rm(), mv() add nls_test() Fix variable LANG in nls_test() Correct the output of exiv2-test Fix nls_test(): Check only part of the output Supports setting EXIV2_HTTP or EXIV2_PORT to '' to ignore HTTP test Support to display the command to execute Support variables: DYLD_LIBRARY_PATH, LD_LIBRARY_PATH Set the variable EXIV2_ECHO when executing `make python_tests VERBOSE=1` let `make python_tests` runs in verbose mode Set the default value for the variable VALGRIN to empty Cancel adding a newline when testing Simplify functions: runTest(), verbose_version() Leonardo Brondani Schenkel (2): Detect Sigma 18-35mm f/1.8 DC HSM (firmware 2.x) Make lens name consistent with models 150 and 368 Luis Diaz Mas (1): Use check_cxx_compiler_flags instead of C version Luis Díaz Más (17): Use ctime instead of time.h Assume existence of stdint.h Move winsock2 inclusion to http.cpp WIN32_LEAN_AND_MEAN propagated with exiv2lib target Include winsock2 at the beginning of http.cpp Revert "change implementation of Exiv2::base64encode() to adopt implementation from same URL as base64decode()." Hide exiv2-xmp dependency in CMake config file: Use latest available version of Conan in CI Hide zlib absolute path in cmake config file Adding Ubuntu 18.04 & 20.04 to travis builds CI: Special packages for Ubuntu 20.04 CI: Fix how we pass CMake options in travis Modify strncpy0 to avoid warning ci: use always pip3 for installing conan ci: Use same travis jobs as in main (drop Ubuntu 16.04) New mergify config file to forward changes to main ci-travis: trying to fix valgrind build Miloš Komarčević (40): Remove EXIV2_EXT variable references Remove remaining vestiges of binary_extension Add more easy accessors for Exif & TIFF/EP overlap Add DateTimeOriginal to easyaccess Test cover for added easyaccess methods Fix easyaccess-test Preserve trailing space in test_easyaccess.py output Fix CanonFi typo in man page exiv2 pr uses easyaccess API (co-authored with clanmills) actions: simplify print summary using easyaccess Add some DNG related tag values Fix syntax error, improve value name style Add DNG CFALayout values Also use existing light source pretty print for DNG Update CalibrationIlluminant test Add remaining DNG 1.3 tag values Minor DNG related changes after review Moved ambient tags to Exif only list, other refactoring Complete DNG 1.4 spec support Fix Pana tag typo and improve Fuji tag description Add DNG 1.5 tags and values Promote remaining SHORT/LONG tags default type Pretty print PlanarConfig Add DNG 1.6 support Add DNG 1.6 test Fix MinGW build for Ninja generator Adding DNG 1.6 triple-illuminant calibration tags Include HEIC type in docs Minor whitespace formatting Revert style changes Terminate empty ASCII strings as well Include HEIC type explicitly Add comment and test case Include a few more BMFF major brands Add mif1 brand to heif mime type Replace tabs to fix indentation issues Fix readme typo Check for symlinks when uninstalling Match closing statement, doh Update bmffimage.hpp include order and path (#1648) Olli Lupton (2): Add LensType entry for Olympus M.Zuiko Digital ED 17mm F1.2 Pro lens. Add a test for PR 1375, checking the Olympus 17mm f/1.2 Pro lens is recognised correctly. Peter Kovář (17): [WIP] Add ISO/IEC Base Media File Format Small corrections [WIP] Added box types [WIP] Base Media File Format [WIP] Redefine tags [WIP] Another try [WIP] Correction [WIP] 64-bit length [WIP] Correction to make Travis CI happy [WIP] Yet another type cast correction to make Travis CI happy [WIP] Fixed Image Spatial Extents Property Handling Corrected format string Add CR3 image dimensions Update README.md Add artist tag Revert "Add artist tag" Remove executable bits from test data files Pydera (1): Fix out of buffer access in #1529 Robin Mills (179): fix_1236_0.27 Reverting changes to test/icc-test.sh for investigation. Fix correctly this time and tested with the user files. Test suite updated to use Reagan2.jp2 Fixed typo declaration of pad when writing ICC profile. Update icc-test.out Disable libiconv support when building with Visual Studio. fix_1266_GPSProcessingMethod fix_1268_GPSProcessingMethod fix_solaris_stack_protection_0.27 fix_solaris_stack_protection_0.27 fix_1297_crwtest_linux_coverage This is a copy of master/.travis.yml to see what happens on the CI. fix_cygwin_stack_protection_0.27 Second effort to unexpose winsock2.h from include <exiv2/exiv2.hpp> using EXIV2_BUILDING_EXIV2 mechanism. Updated reference output. Well spotted, @piponazo. Fixing previous incorrect commit. fix_1353_mingw_toolchain_0.27 Exiv2/exiv2#1356 (comment) fix_1393_iptc_tags_web_0.27 I hope I've made a better job of this at this attempt. I don't thing the "section" enum is of much importance. I don't believe anything in particular is done with with it. Fix tag GPSHPositioningError to use printValue() pretty-printer. Clarified definition and use of enum SectionId @kmilos: please review/approve. Documentation revision in response to #1394 New profiles as documented in README-CONAN.md Add ribbon to README-SAMPLES.md. Fixing typos. Moved orphaned declaration of exifGPSDirRef. Documented exiv2lib_export.h Update script cmd64.bat following review by @tester0077 I hope this is the final change to this PR. WIP #1402 rafimage::printStructure() improved formatting. bumpRevision_0.27.4.9 WIP: working to understand how to support tiffIfd in tiffvisitor_int.cpp Remove debugging code. Add FujiIFD to TiffCreator::tiffGroupStruct_ Success. It's working! Code/comment tidy. Add to test harness. Fix significant typo in cmd64.bat Pointless change to trigger CI to build again. Hoping for CI Contentment! Calming Test Suite concerning Continuous and CropMode confusion. fix_1431_binary_comment. appveyor_mingw_0.27 Changed APPVEYOR_BUILD_WORKER_IMAGE Try again. One more time. And another go. Getting better. Modify the path. Might build this time. Fix typo. Run python_tests. Reformmated. Try again! Debugging mingw.yml Last change, I hope. And another try. And another. Debugging mingw.yml Debugging mingw.yml More debugging. Debugging More debugging. Only run python_tests Try to build using Cygwin/64 Debugging cygwin/64 Cygwin Cygwin: Add zlib and expat to install Cygwin/64 install depedencies. libexpat-devel Use C++98 and run python tests. Install pip Trying to get pip to install. Com'on pip3. Install libxml2 and libxslt python38-libxml2 Build and test both MinGW/msys2 and Cygwin64 Fix matrix syntax. Try again. Build Cygwin and MinGW in parallel. Try again. Fixing typo Rename appveyor configuration file. Modified install to only install what's required for BUILD Restored 0.27.2 "toString()" behaviour of Exifdatum.value().toString() for CommentValue. Fixing test suite. Revert "Fixing test suite." Revert "fix_1431_binary_comment." Revert "Restored 0.27.2 "toString()" behaviour of Exifdatum.value().toString() for CommentValue." Revert "Revert "fix_1431_binary_comment."" Add test image. Add test script. Enhanced documentation formatting. Fixing test suite. I've explained the changes in a note in the PR. Fix image handler to give jp2image code higher priority than the next isobmff code. Rename class ISOBMFF => class bmffImage to match other image handlers. Removed C++11 style code. Removed unused code. Fixing Linux build/test issues. Fix Linux build-breaker when ENABLE_ISOBMFF=False and EXIV2_TEAM_WARNINGS_AS_ERRORS=On Modified ci/install.sh to install cmake before dependencies. fix_1464_sony2010e Fix c++ code fix_1464_sony2010e Add test file and test script fix_1464_sony2010e test script fix_1471_sony2010_0.27 Test suite update. Change test suite timeout. C++ simplification. WIP: Refactored readMetadata() into recursive boxHandler() Fixing a build breaker. Fix linux/CI build breaker. Fix msvc/CI build breakers. Fix linux/CI build breaker. Fixing warnings from LGTM/CI. More fixes for LGTM/CI warnings. WIP: Added class Iloc and related code. Fixed recursion issue in the meta box. Tidying up. 1. pixelHeight_. 2. refactored indenter() -> indent(). 3. EXIV2_DEBUG_MESSAGES outputs to std::cerr Updating .gitignore. Parse Exif in .HEIC/.AVIF Cleanup. 1. Recursively process uuid/cano box. 2. Fix LGTM/CI sprintf grumbles. 3. Comment parseTiff() in bmffimage.hpp. Tidy up. Rename Tag::cr3_exif -> Tag:cmt2 Revised following code review by @hassec. Thank You, Christoph. Remove bmffimage::printStructure() as discussed in review with @hassec. Corpse removal and cleanup in bmpfimage.hpp Added parseXmp() to parse Xmp metadata. Fix .CR3 files to call parseXmp(). Rename test image. WIP: adding BmffImage::printStructure() and support for colr box. Cosmetic change to -pR/-pS output. Adding HIF tests. Fix MSVC build breaker and modify test_pr_1475_HIF.py to run on Windows. Renamed a test file. Test suite updates. Add SECURITY.md and reference it from the Security Tab in the GitHub Web UI. Following review by @hassec, I use static base64_encoding vector in both Exiv2::base64encode() and Exiv2::base64decode(). Move system_tests.runTest() and system_tests.verbose_version() to system_tests.BT fix_1486_effort2 Exiv2/exiv2#1486 (comment) use raise from test_pr1475*.py Add unit_tests to suite.conf Add python scripts equivalent to test/version_test.sh and unit_test.sh Refactor CMakeList.txt to run all tests using tests/runner.py Add test/ReadMe.txt Fix typos. Fix comments. Fix LD_LIBRARY_PATH. Add option arg raw=False to runTest() Use raw=True in unit_test.py. Sniff for unit_tests.exe! Better logic and error message. exiv2_v27_4_rc1 exiv2 --verbose --version was reporting have_strerror_r twice! Massive code prolog cleanup. Exiv2 v0.27.4 RC1 Preview. v27_4_rc1_effort2 Updated the user documents. Most changes relate to running the test suite. Add optional parameter forgive=False to reportTest() for use by nls_test to avoid false fails. Downgrade version to 0.27.4.10 = 0.27.4 RC1 Preview. Fixing typos. Bump revision number to Exiv2 v0.27.4 RC1. PR will be marked for review. Clarify bmff suppport as readonly. Set LD_LIBRARY_PATH to run bundled bin/exiv2. Push change in PR #1500. Thank you @kmilos. Update releasenotes.txt with more credit for Milos (and trigger macOS/CI which is red). All platform build on MacMini. fix_1507_avif_size0x0 Documentation Update (as discussed in #1508) Use the documented 5 line prolog in every sample application. Tidy up sample prologs and header code. fix_1508_enableBMMF_effort2 Add test script. fix_1504_metacopy_optstring fix_1503_JXL_bmff Added test file and script. Fix build breaker in test_issue_1503.py. fix_1522_jp2image_exif_asan test fix_1522_jp2image_exif_asan update_README_localisation v0.27.4RC2 v0.27.4 RC2 Release Notes. bump_release_number_0.37.4.39 fix_enableBMFF Bump version number. Update releasenotes.txt update changelog fix_broken_man_page v0.27.4 Thomas Petazzoni (1): Properly detect availability of flags in cmake/compilerFlags.cmake (#1252) clanmills (78): fix_1276_BUILD_PO_0.27 Do not build WebReady with Visual Studio. Build with C++11 Disable coverage (see #1297) Tweak conversion.sh for TZ conversion error in MSVC. Fix #1300 Use ubuntu on CI Remove .. from CMAKE_OPTIONS. -CMAKE_CXX_STANDARD=98 and Disable UNIT_TESTS. Simplify ci/run.sh Don't use ASAN on CI. -DCMAKE fix. Thanks @piponazo Disable Fedora/CentOS/Archlinux on gitlab/CI. fix 1307 ASAN issues with RemoteIo fix_1329_remove_bigtiff_0.27 Remove bigtiffimage.hpp from include/exiv2/CMakeLists.txt Fix: https://travis-ci.org/github/Exiv2/exiv2/jobs/730867927 run_stdin-test.sh_0.27 fix_1335_winsock2_0.27 pythonic_bash_ci_0.27 temporarily disable stdin-test and webp-test to get the CI operational again. nls-test script and reference file. Makefile updated to run nls-test.sh as part of bash_tests Adding test files to test suite. Script and reference file changes. Adding test files and bash script/reference-output Code changes C++ changes requested by @piponazo. Fix python png_test() recommended by @LeoHsiao1. Update reference output. Enable CentOS on gitLab-ci. Adding test files to test suite. Script and reference file changes. Temporarily neuter DEXIV2_TEAM_USE_SANITIZERS to get CentOS to build. Revert the last two changes. GitLab/centOS makes no sense. Will build on MacMini. Fix compiling http.cpp and reinstate centOS on gitLab. Disable centOS on CI. The web-server goes crazy althought this doesn't happen in the terminal on centOS. Fixing variable LANG replace base64encode in src/futils.cpp change implementation of Exiv2::base64encode() to adopt implementation from same URL as base64decode(). Add +x (execute) attribute to shell scripts. Fix handling of environment string VERBOSE Don't set --verbose in makefile. Don't treat exiv2_echo == VERBOSE. Fixing VERBOSE in environment (args.verbose==2 when set. args.verbose==0 when not set). Fixing EXIV2_PORT on MinGW/msys2. Disable OpenSUSE on CI. It's complaining about being unable to install the correct version of curl. Adding support for environment strings EXIV2_HTTP and EXIV2_PORT Adding support for VALGRIND and EXIV2_BINDIR Disable exiv2 option --binary Adding python test Updating man page. fix_929_exif2.31_0.27 Fix python test breaker Fixing exiv2-test.sh message when test/tmp is empty. Adding test images. Changed CI build default -DEXIV2_ENABLE_BMFF=On. Fixed suite to run with/without bmff. -pS and -pR same for bmff. Added 2.19 Support for bmff files Updated for bmff. Re-awaken obsolete command-line argument --binary and store class Task. refactored setModeAndPrintStructure() to respect class Task.binary_ when printing ICC profiles. Minor corrections and clarification concerning enableBMFF(). Fix box.length == to use bigEndian decode! Fix toAscii() to emit on ascii 32-127 bytes. Test suite update. With good fortune, bmffimage is ready for review. Replaced the ugly code in Exiv2::base64encode() and update the test suite. Fix Linux build breakers. Replaced Exiv2::base64encode() because last effort failed unit test on msvc. This should be it. Test suite fixed. Trick to avoid msvc issue with final line of base64 data. Fix ICC profile handling (my bad, iOS files are correct). Restoring i < dataLength trigraph that I should not have removed. Restore -pC --binary to output everything. Test suite updated to suit. Fix #1358. This should be in a different PR. Keep changes to base64 encode/decode together. Another effort to fix base64decode and associated unit test. Updated to adopt Review suggestions by @kmilos. Thank You, Milos. Fix msvc build breaker. Thank You @piponazo for the code review. I've made the changes you requested. Following review by @piponazo, I am clarifying the bool return from Exiv2::enableBMFF(). fix_1473_LocationShown Exiv2/exiv2#1486 (comment) czgnp (3): Update canonmn_int.cpp and a test case for Python and the test files evanokeeffe (1): found a bug in metacopy, the -x parameter wasn't in the optstring. rectified that hanno@schwalm-bremen.de (3): Adding support for DefaultUserCrop and BaselineExposureOffset Fix typo and remove empty line. Revert exv commit and remove empty line. postscript-dev (7): Add missing "Xmp" to project description Update PACKAGE_URL and PROJECT_DESCRIPTION text Fix langAltValue::read() parsing Add static to LangAltValue::read() const values Change LangAltValue::read() tests to unitTests Fix spelling mistakes in LangAltValue::read() Update exiv2 man page - langAlt format tbeu (1): Fix write ability flags of PSD files (#1260)
CVE-2021-31292 has been assigned for this issue. |
VERSION
exiv 2 0.27.4.1
https://github.com/Exiv2/exiv2/tree/0.27-maintenance
REPRODUCE
Compile exiv2 with asan:
Dowload testcases:
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487.exv
Run command:
exiv2 in tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
Credit: Zhen Zhou of NSFOCUS Security Team
The text was updated successfully, but these errors were encountered: