Vulnerabilities > CVE-2018-16336 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
exiv2
debian
canonical
CWE-125
nessus

Summary

Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1551.NASL
    descriptionA vulnerability has been discovered in exiv2 (CVE-2018-16336), a C++ library and a command line utility to manage image metadata, resulting in remote denial of service (heap-based buffer over-read/overflow) via a crafted image file. Additionally, this update includes a minor change to the patch for the CVE-2018-10958/CVE-2018-10999 vulnerability first addressed in DLA 1402-1. The initial patch was overly restrictive and has been adjusted to remove the excessive restriction. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id118240
    published2018-10-22
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118240
    titleDebian DLA-1551-1 : exiv2 security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1551-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118240);
      script_version("1.1");
      script_cvs_date("Date: 2018/10/22 11:13:01");
    
      script_cve_id("CVE-2018-10958", "CVE-2018-10999", "CVE-2018-16336");
    
      script_name(english:"Debian DLA-1551-1 : exiv2 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability has been discovered in exiv2 (CVE-2018-16336), a C++
    library and a command line utility to manage image metadata, resulting
    in remote denial of service (heap-based buffer over-read/overflow) via
    a crafted image file.
    
    Additionally, this update includes a minor change to the patch for the
    CVE-2018-10958/CVE-2018-10999 vulnerability first addressed in DLA
    1402-1. The initial patch was overly restrictive and has been adjusted
    to remove the excessive restriction.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    0.24-4.1+deb8u2.
    
    We recommend that you upgrade your exiv2 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/10/msg00012.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/exiv2"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exiv2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-13");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexiv2-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"exiv2", reference:"0.24-4.1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"libexiv2-13", reference:"0.24-4.1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"libexiv2-dbg", reference:"0.24-4.1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"libexiv2-dev", reference:"0.24-4.1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"libexiv2-doc", reference:"0.24-4.1+deb8u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2710.NASL
    descriptionAccording to the versions of the exiv2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999.(CVE-2018-16336) - The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 0.26 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file.(CVE-2018-4868) - In Exiv2 before v0.27.2, there is an integer overflow vulnerability in the WebPImage::getHeaderOffset function in webpimage.cpp. It can lead to a buffer overflow vulnerability and a crash.(CVE-2019-14982) - There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.(CVE-2017-11683) - An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14859) - An Invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14862) - An Invalid memory address dereference was discovered in Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.(CVE-2017-14864) - There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack.(CVE-2017-14865) - There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.(CVE-2017-17669) - Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.(CVE-2017-18005) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-23
    plugin id132377
    published2019-12-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132377
    titleEulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2710)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132377);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2017-11683",
        "CVE-2017-14859",
        "CVE-2017-14862",
        "CVE-2017-14864",
        "CVE-2017-14865",
        "CVE-2017-17669",
        "CVE-2017-18005",
        "CVE-2018-16336",
        "CVE-2018-4868",
        "CVE-2019-14982"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : exiv2 (EulerOS-SA-2019-2710)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the exiv2 package installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26
        allows remote attackers to cause a denial of service
        (heap-based buffer over-read) via a crafted image file,
        a different vulnerability than
        CVE-2018-10999.(CVE-2018-16336)
    
      - The Exiv2::Jp2Image::readMetadata function in
        jp2image.cpp in Exiv2 0.26 allows remote attackers to
        cause a denial of service (excessive memory allocation)
        via a crafted file.(CVE-2018-4868)
    
      - In Exiv2 before v0.27.2, there is an integer overflow
        vulnerability in the WebPImage::getHeaderOffset
        function in webpimage.cpp. It can lead to a buffer
        overflow vulnerability and a crash.(CVE-2019-14982)
    
      - There is a reachable assertion in the
        Internal::TiffReader::visitDirectory function in
        tiffvisitor.cpp of Exiv2 0.26 that will lead to a
        remote denial of service attack via crafted
        input.(CVE-2017-11683)
    
      - An Invalid memory address dereference was discovered in
        Exiv2::StringValueBase::read in value.cpp in Exiv2
        0.26. The vulnerability causes a segmentation fault and
        application crash, which leads to denial of
        service.(CVE-2017-14859)
    
      - An Invalid memory address dereference was discovered in
        Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The
        vulnerability causes a segmentation fault and
        application crash, which leads to denial of
        service.(CVE-2017-14862)
    
      - An Invalid memory address dereference was discovered in
        Exiv2::getULong in types.cpp in Exiv2 0.26. The
        vulnerability causes a segmentation fault and
        application crash, which leads to denial of
        service.(CVE-2017-14864)
    
      - There is a heap-based buffer overflow in the
        Exiv2::us2Data function of types.cpp in Exiv2 0.26. A
        Crafted input will lead to a denial of service
        attack.(CVE-2017-14865)
    
      - There is a heap-based buffer over-read in the
        Exiv2::Internal::PngChunk::keyTXTChunk function of
        pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will
        lead to a remote denial of service
        attack.(CVE-2017-17669)
    
      - Exiv2 0.26 has a Null Pointer Dereference in the
        Exiv2::DataValue::toLong function in value.cpp, related
        to crafted metadata in a TIFF file.(CVE-2017-18005)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2710
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ed6f2a44");
      script_set_attribute(attribute:"solution", value:
    "Update the affected exiv2 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14982");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/23");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:exiv2-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["exiv2-libs-0.26-3.h10.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiv2");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2277.NASL
    descriptionAccording to the versions of the exiv2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, a different vulnerability than CVE-2018-10999.(CVE-2018-16336) - In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngchunk_int.cpp may cause a denial of service (application crash due to a heap-based buffer over-read) via a crafted PNG file.(CVE-2018-19535) - A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.(CVE-2019-13112) - Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.(CVE-2017-18005) - There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack.(CVE-2017-14865) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-11-27
    plugin id131343
    published2019-11-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131343
    titleEulerOS 2.0 SP8 : exiv2 (EulerOS-SA-2019-2277)