Bug 1840347 (CVE-2020-13113)

Summary: CVE-2020-13113 libexif: use of uninitialized memory in EXIF Makernote handling can lead to crashes and use-after-free
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, caillon+fedoraproject, gnome-sig, john.j5live, rdieter, rhbugs, rhughes, rstrode, sandmann, thomasj, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libexif 0.6.22 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:01:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1840348, 1841251, 1841252    
Bug Blocks: 1840352    

Description Guilherme de Almeida Suckevicz 2020-05-26 18:49:47 UTC 
An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions.

Reference and upstream commit:
https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f
Comment 1 Guilherme de Almeida Suckevicz 2020-05-26 18:50:10 UTC 
Created libexif tracking bugs for this issue:

Affects: fedora-all [bug 1840348]
Comment 2 Todd Cullum 2020-05-28 17:22:08 UTC 
Technical Summary:

The libexif library parses an EXIF tag called a MakerNote. According to the EXIF standard[1], a MakerNote tag can hold manufacturer-specific data from camera manufacturers such as Nikon, Olympus, Canon, Panasonic, etc... the vulnerable libexif component parses these MakerNote tags into "entry" structures which can contain multiple "components." There is some code duplication in libexif, related parsing MakerNotes, so the same flaw is seen in 4 separate files: libexif/canon/exif-mnote-data-canon.c, libexif/fuji/exif-mnote-data-fuji.c, libexif/olympus/exif-mnote-data-olympus.c , and  libexif/pentax/exif-mnote-data-pentax.c.

Using the code in exif-mnote-data-canon.c as an example,

MakerNote Entry memory was allocated with n->entries = exif_mem_alloc(ne->mem, sizeof (MnoteCanonEntry) * c) but the entries were not initialized to 0. This could cause the dereference of an uninitialized wild pointer when the entry's data member is accessed later in the program, for example, by the exif_mnote_data_canon_clear() routine, which attempts to free the entries. This could also lead to a use-after-free. The current upstream patch uses memset to zero-initialize entries memory after allocation.

Exploitation of the flaw would require an attacker to provide crafted input within EXIF data and submit it to be parsed by libexif. In cases where libexif parses untrusted files, an attacker may be unauthenticated or have low privileges.
Comment 4 errata-xmlrpc 2020-09-29 20:50:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040
Comment 5 Product Security DevOps Team 2020-09-29 22:01:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13113
Comment 6 errata-xmlrpc 2020-11-04 03:43:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766