Bug 1840347 (CVE-2020-13113)
Summary: | CVE-2020-13113 libexif: use of uninitialized memory in EXIF Makernote handling can lead to crashes and use-after-free | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ajax, caillon+fedoraproject, gnome-sig, john.j5live, rdieter, rhbugs, rhughes, rstrode, sandmann, thomasj, yselkowi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libexif 0.6.22 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 22:01:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1840348, 1841251, 1841252 | ||
Bug Blocks: | 1840352 |
Description
Guilherme de Almeida Suckevicz
2020-05-26 18:49:47 UTC
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1840348] Technical Summary: The libexif library parses an EXIF tag called a MakerNote. According to the EXIF standard[1], a MakerNote tag can hold manufacturer-specific data from camera manufacturers such as Nikon, Olympus, Canon, Panasonic, etc... the vulnerable libexif component parses these MakerNote tags into "entry" structures which can contain multiple "components." There is some code duplication in libexif, related parsing MakerNotes, so the same flaw is seen in 4 separate files: libexif/canon/exif-mnote-data-canon.c, libexif/fuji/exif-mnote-data-fuji.c, libexif/olympus/exif-mnote-data-olympus.c , and libexif/pentax/exif-mnote-data-pentax.c. Using the code in exif-mnote-data-canon.c as an example, MakerNote Entry memory was allocated with n->entries = exif_mem_alloc(ne->mem, sizeof (MnoteCanonEntry) * c) but the entries were not initialized to 0. This could cause the dereference of an uninitialized wild pointer when the entry's data member is accessed later in the program, for example, by the exif_mnote_data_canon_clear() routine, which attempts to free the entries. This could also lead to a use-after-free. The current upstream patch uses memset to zero-initialize entries memory after allocation. Exploitation of the flaw would require an attacker to provide crafted input within EXIF data and submit it to be parsed by libexif. In cases where libexif parses untrusted files, an attacker may be unauthenticated or have low privileges. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13113 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766 |