Exiv2 Out-of-Bounds Read Vulnerability in EPS Metadata Writing

An out-of-bounds read vulnerability has been identified in Exiv2 versions through 0.28.5. This issue occurs in the C++ library and command-line utility used for managing image metadata, including Exif, IPTC, XMP, and ICC data. The vulnerability is triggered when Exiv2 writes metadata to a crafted image file, potentially leading to a denial-of-service condition by crashing the application. Exploitation requires convincing a user to process the manipulated image with Exiv2, particularly using commands that involve writing metadata, which is less common than reading operations.

Impact

Exiv2 crashes due to a segmentation fault, caused by an invalid memory read operation. This behavior is consistent with typical exploitation of out-of-bounds read vulnerabilities, where the application attempts to access memory outside its allocated bounds, leading to a crash.

Reproduction

The vulnerability can be reproduced by using Exiv2 version 0.28.5 and applying a command that writes metadata, such as the 'delete' option, while specifying a crafted EPS file known to trigger the out-of-bounds read. This can be done using the Exiv2 command-line tool after compiling the application with AddressSanitizer enabled, which will detect the memory access violation.

Remediation

Users can upgrade to Exiv2 version 0.28.6, where this vulnerability has been fixed.