Thursday, 26 July 2018

misuse of realpath function on POSIX platforms - CVE-2018-14338

Hi Internet,

Product Affected:  Exiv2, a C++ library and a command line utility to read and write Exif, IPTC and XMP image metadata.

Summary:  samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms (other than Apple platforms) where glibc is not used, possibly leading to a buffer overflow.

However their are multiple files in /samples/ which are responsible for their own tests.
conntest.cpp = This file is used when a user needs to test http/https/ftp/ssh/sftp vased connection via exiv2

Similarly I had a look on geotag.cpp file which is responsible for  reading gpx files and update images with GPS tags.
While this file used `realpath()` however realpath function is broken by design - POSIX.1-2001
According to the documentation of `realpath()`  the output buffer needs to be at least of size `PATH_MAX` specifying output buffers large enough to handle the maximum-size possible result from path manipulation functions.

But in geotag.cpp the buffer size was not equal to PATH_MAX nor set to NULL
#ifdef __APPLE__
                    char   buffer[1024];
                    char*  buffer = NULL;
                    char*  path = realpath(arg,buffer);
                    if  ( t && path ) {
                        if ( options.verbose) printf("%s %ld %s",path,(long int)t,asctime(localtime(&t)));
                    if ( path && path != buffer ) ::free((void*) path);
                if ( type == typeUnknown ) {
                    fprintf(stderr,"error: illegal syntax %s\n",arg);
                    result = resultSyntaxError ;
            } break;
However, in that instance, buffer  size comes from `uv__fs_pathmax_size()`. That function attempts to use `pathconf(path, _PC_PATH_MAX)` as noted in the realpath(3) docs. But over here(geotag.cpp) `uv__fs_pathmax_size()` nor `pathconf(path, _PC_PATH_MAX)` is in use.

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include `realpath()` `readlink()` `PathAppend()` and others.

A issue was submitted to exiv2 team and a commit was pushed to patch this issue, to fix this they called `pathconf()` for linux, or they could have simply set `PATH_MAX+1` to resolve this.
diff --git a/samples/geotag.cpp b/samples/geotag.cpp
index 1355827..4da38af 100644
--- a/samples/geotag.cpp
+++ b/samples/geotag.cpp
@@ -806,8 +806,11 @@ int main(int argc,const char* argv[])
                 if ( options.verbose ) printf("%s %s ",arg,types[type]) ;
                 if ( type == typeImage ) {
                     time_t t    = readImageTime(std::string(arg)) ;
-#ifdef __APPLE__
+#if   defined(__APPLE__)
                     char   buffer[1024];
+#elif defined(__gnu_linux__)
+                    char   buffer[_MAX_PATH];
+                    pathconf(arg ,_MAX_PATH);
                     char*  buffer = NULL;
CVE-2018-14338 was assign to this issue, Hope you like the read.

No comments:

Post a Comment