Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An infinite loop and hang in Exiv2::Jp2Image::readMetadata() #1011

Closed
boo0m opened this issue Sep 30, 2019 · 3 comments
Closed

An infinite loop and hang in Exiv2::Jp2Image::readMetadata() #1011

boo0m opened this issue Sep 30, 2019 · 3 comments
Assignees
@clanmills
Labels
bug
Milestone
v0.27.3

Comments

@boo0m
Copy link

boo0m commented Sep 30, 2019

Describe the bug
An input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.

To Reproduce
Steps to reproduce the behaviour:
excute 'build/bin/exiv2 Jp2Image_readMetadata_loop.poc'

Expected behavior
An infinite loop and hang, with high CPU consumption
image

Additional context
The poc is here
Jp2Image_readMetadata_loop.poc.zip

The code:

io_->seek(restore,BasicIo::beg);
io_->seek(subBox.length, Exiv2::BasicIo::cur);

leads to an infinite loop.
@boo0m boo0m added the bug label Sep 30, 2019
@clanmills clanmills self-assigned this Sep 30, 2019
@clanmills clanmills added this to the v0.27.4 milestone Sep 30, 2019
@clanmills
Copy link
Collaborator

Thank you for reporting this. It will be investigate and I hope we'll include a fix with Exiv2 v0.27.4 which is scheduled for 2019-13-31.

clanmills added a commit that referenced this issue Oct 1, 2019
@clanmills
Fix #1011 fix_1011_jp2_readmetadata_loop
3524611
@clanmills clanmills mentioned this issue Oct 1, 2019
Merged
@clanmills clanmills modified the milestones: v0.27.4, v0.27.3 Oct 1, 2019
@clanmills
Copy link
Collaborator

Fix submitted #1013

piponazo pushed a commit that referenced this issue Oct 5, 2019
@clanmills @piponazo
Fix #1011 fix_1011_jp2_readmetadata_loop
1b917c3
D4N added a commit that referenced this issue Oct 5, 2019
@D4N
Fix #1011 fix_1011_jp2_readmetadata_loop (#1013)
a82098f 
Fix #1011 fix_1011_jp2_readmetadata_loop
mergify bot pushed a commit that referenced this issue Oct 5, 2019
@clanmills
Fix #1011 fix_1011_jp2_readmetadata_loop
48cec19 
(cherry picked from commit 1b917c3)

# Conflicts:
#	src/jp2image.cpp
piponazo pushed a commit that referenced this issue Nov 18, 2019
@clanmills @piponazo
Fix #1011 fix_1011_jp2_readmetadata_loop
935b44b 
(cherry picked from commit 1b917c3)
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
@clanmills @dirkmueller
Fix Exiv2#1011 fix_1011_jp2_readmetadata_loop
b5b49ef 
(cherry picked from commit 1b917c3)
(cherry picked from commit 55af053)
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Mar 23, 2020
@clanmills @dirkmueller
Fix Exiv2#1011 fix_1011_jp2_readmetadata_loop
730211a 
(cherry picked from commit 1b917c3)
(cherry picked from commit 55af053)
D4N added a commit that referenced this issue Mar 24, 2020
@D4N
Merge pull request #1110 from dirkmueller/0.26
775028f 
Fix #1011 fix_1011_jp2_readmetadata_loop
@vcunat
Copy link

vcunat commented Mar 29, 2020

For reference, the issue has been assigned name CVE-2019-20421.

@clanmills clanmills self-assigned this Mar 29, 2020
@clanmills clanmills mentioned this issue Apr 27, 2020
Open
1div0 pushed a commit to 1div0/exiv2 that referenced this issue Jun 7, 2020
@clanmills @1div0
Fix Exiv2#1011 fix_1011_jp2_readmetadata_loop
46e6e39 
(cherry picked from commit 1b917c3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clanmills clanmills

Labels
bug
Projects
None yet
Milestone
v0.27.3
Development

No branches or pull requests
3 participants
@clanmills @vcunat @boo0m