CVE-2017-11340: Segmentation fault in the XmpParser::terminate() function

[rhertzog]

I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1470950

The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1298135
(it's a rar archive containing the actual reproducer file)

Here's a copy of the report:

$./exiv2 POC6
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 

Segmentation fault


GDB debugging information is as follows:
(gdb) set args POC6
(gdb) r
 ...
Continuing.
ORF IMAGE
Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry
Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry
File name       : id:000023,sig:06,src:001147+000847,op:splice,rep:2
File size       : 60 Bytes
MIME type       : image/x-olympus-orf
Image size      : 0 x 0
Camera make     : 
Camera model    : 
Image timestamp : 
Image number    : 
Exposure time   : 
Aperture        : 
Exposure bias   : 
Flash           : 
Flash bias      : 
Focal length    : 
Subject distance: 
ISO speed       : 
Exposure mode   : 
Metering mode   : 
Macro mode      : 
Image quality   : 
Exif Resolution : 
White balance   : 
Thumbnail       : None
Copyright       : 
Exif comment    : 


Breakpoint 3, main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:176
176	    Exiv2::XmpParser::terminate();
(gdb) n
155	    Action::Task::AutoPtr task
(gdb) n
180	} // main
(gdb) 

Breakpoint 2, __libc_start_main (main=0x4e24c0 <main(int, char* const*)>, argc=2, argv=0x7fffffffe598, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588) at libc-start.c:323
323	libc-start.c: No such file or directory.
(gdb) s
__GI_exit (status=0) at exit.c:104
104	exit.c: No such file or directory.
(gdb) n
103	in exit.c
(gdb) 
104	in exit.c
(gdb) 

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

This vulnerability was triggered after the function __GI_exit (status=0) exit.c:104 after function main() exit.

[D4N]

This has also been fixed in #79.

[D4N]

The patch for this issue has been backported to 0.26.