CVE-2021-29473 - Out-of-bounds Read

Severity

25%

Complexity

10%

Confidentiality

23%

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. Please see our security policy for information about Exiv2 security.

CVSS 3.1 Base Score 2.5. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

CVSS 2.0 Base Score 2.6. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

First reported 3 years ago

2021-04-26 19:15:00

Last updated 3 years ago

2021-09-21 18:12:00

Affected Software

Debian Linux 9.0

9.0

References

https://github.com/Exiv2/exiv2/security/policy

https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2

https://github.com/github/advisory-review/pull/1587

FEDORA-2021-10d7331a31

https://github.com/Exiv2/exiv2/security/policy

Release Notes, Third Party Advisory

https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2

Patch, Third Party Advisory

https://github.com/github/advisory-review/pull/1587

Broken Link, Third Party Advisory

FEDORA-2021-10d7331a31

Third Party Advisory

FEDORA-2021-2d860da728

FEDORA-2021-96a5dabcfa

FEDORA-2021-be94728b95

DSA-4958

[debian-lts-announce] 20210830 [SECURITY] [DLA 2750-1] exiv2 security update

FEDORA-2021-10d7331a31

Mailing List, Third Party Advisory

FEDORA-2021-2d860da728

Mailing List, Third Party Advisory

FEDORA-2021-96a5dabcfa

Mailing List, Third Party Advisory

FEDORA-2021-be94728b95

Mailing List, Third Party Advisory

DSA-4958

Third Party Advisory

[debian-lts-announce] 20210830 [SECURITY] [DLA 2750-1] exiv2 security update

Mailing List, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.