Bug 1840344 (CVE-2020-13112)

Summary: CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, caillon+fedoraproject, gnome-sig, john.j5live, mcatanza, rdieter, rhbugs, rhughes, rstrode, sandmann, thomasj, tpelka, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libexif 0.6.22 Doc Type: If docs needed, set a value
Doc Text:
A heap-buffer out-of-bounds read flaw was found in libexif's MakerNote tag parser. This flaw allows an unauthenticated attacker or authenticated attacker with low privileges to exploit the flaw remotely in an application that uses libexif to process EXIF data from media files if the file upload is allowed. An attacker could create a specially crafted image file that, when processed by libexif, would cause the application to crash or, potentially expose data from the application's memory. This attack leads to a denial of service or a memory information leak that could assist in further exploitation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-10 11:20:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1840345, 1840948, 1840949, 1840950, 1840951, 1840952, 1840953, 1847075    
Bug Blocks: 1840352    

Description Guilherme de Almeida Suckevicz 2020-05-26 18:41:59 UTC 
An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.

Reference and upstream commit:
https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1
Comment 1 Guilherme de Almeida Suckevicz 2020-05-26 18:42:18 UTC 
Created libexif tracking bugs for this issue:

Affects: fedora-all [bug 1840345]
Comment 2 Todd Cullum 2020-05-28 00:09:11 UTC 
====Technical Summary====

The libexif library parses an EXIF tag called a MakerNote. According to the EXIF standard[1], a MakerNote tag can hold manufacturer-specific data from camera manufacturers such as Nikon, Olympus, Canon, Panasonic, etc... The vulnerable component for this flaw is in the parsing code for the MakerNotes specific to Canon, Fujifilm, Olympus, and Pentax. More precisely, the parsing code was able to read in MakerNote tag data past the end of the input buffer due to either integer overflow in multiplication, or corrupt MakerNote tags which were too short or too long. The patch (see gsuckevi's comment above) appears to check for integer overflow due to multiplication and also verify that the MakerNote tag being parsed matches the size specified in the entry structure's "components" member, as each tag can have multiple components within it. On the patch commit, Upstream notes that "Likely, this makes both commits 41bd042 and 89e5b1c redundant as it ensures that MakerNote entries are well-formed when they're populated," because those earlier commits addressed the issues on a per-component basis, whereas the patch for this flaw addresses them in the parser and is likely more robust.

In summary, this flaw could be exploited if an attacker edits EXIF data in a media file to include malformed MakerNote tag data, which would cause the libexif MakerNote tag parser to perform and out-of-bounds read, potentially exposing unintended data in the process memory or causing a crash, resulting in denial of service.

1. https://www.exif.org/Exif2-2.PDF
Comment 6 errata-xmlrpc 2020-06-10 09:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2474 https://access.redhat.com/errata/RHSA-2020:2474
Comment 7 Product Security DevOps Team 2020-06-10 11:20:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13112
Comment 8 errata-xmlrpc 2020-06-10 23:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2516 https://access.redhat.com/errata/RHSA-2020:2516
Comment 9 errata-xmlrpc 2020-06-15 12:58:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2550 https://access.redhat.com/errata/RHSA-2020:2550
Comment 10 errata-xmlrpc 2020-06-15 13:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2549 https://access.redhat.com/errata/RHSA-2020:2549
Comment 12 errata-xmlrpc 2020-06-23 13:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2672 https://access.redhat.com/errata/RHSA-2020:2672