Bug 243888 (CVE-2006-4168)

Summary: CVE-2006-4168 libexif integer overflow
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: mclasen, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20070612,public=20070613,impact=moderate,source=vendorsec,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-15 17:01:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 243890, 243891, 243892, 243893, 243894, 243895, 243896    
Bug Blocks:    
Description Flags
proposed patch from 0.6.16 none

Description Mark J. Cox 2007-06-12 16:02:57 UTC
as pointed out to the libexif team by iDefense, older and current
libexif versions (at least 0.6.13, 0.6.14, 0.6.15) contain an integer
overflow which can result in heap corruption and segfaults or worse. The
detailed advisory will be released by iDefense tomorrow.

The libexif-0.6.16 release fixes the issue. It is available at

Comment 1 Mark J. Cox 2007-06-12 16:02:58 UTC
Created attachment 156803 [details]
proposed patch from 0.6.16

Comment 3 Josh Bressers 2007-06-12 20:37:26 UTC
The impact of this flaw is moderate.  After investigating how libexif is used,
there are no applications that will blindly call into it.  Everything requires
some form of user interaction to process the image data via libexif.

Comment 5 Josh Bressers 2007-06-13 13:51:06 UTC
This flaw is now public:

Comment 7 Mark J. Cox 2007-06-22 21:17:39 UTC
This was actually CVE-2006-4168

Comment 8 Red Hat Product Security 2008-01-15 17:01:47 UTC
This issue was addressed in:

Red Hat Enterprise Linux: