Bug 1840350 (CVE-2020-13114)

Summary: CVE-2020-13114 libexif: unrestricted size in handling Canon EXIF MakerNote data can lead to consumption of large amounts of compute time
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, caillon+fedoraproject, gnome-sig, john.j5live, rdieter, rhbugs, rhughes, rstrode, sandmann, thomasj, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libexif 0.6.22 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:01:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1840351, 1841276, 1841277    
Bug Blocks: 1840352    

Description Guilherme de Almeida Suckevicz 2020-05-26 18:54:15 UTC 
An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.

Reference and upstream commit:
https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
Comment 1 Guilherme de Almeida Suckevicz 2020-05-26 18:54:32 UTC 
Created libexif tracking bugs for this issue:

Affects: fedora-all [bug 1840351]
Comment 2 Todd Cullum 2020-05-28 18:41:13 UTC 
Technical Summary:

In libexif/canon/exif-mnote-data-canon.c of libexif prior to 0.6.22, it is possible for an attacker to supply a specially crafted file which could cause the creation of extremely large tags, using excessive memory and causing a long loop, which could lead to denial of service. The vulnerable code is in the exif_mnote_data_canon_load() routine. The current patch in 0.6.22 keeps track of the size of tag data by making calls to mnote_canon_entry_count_values() during the loop, and bailing if it gets too large.
Comment 4 errata-xmlrpc 2020-09-29 20:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040
Comment 5 Product Security DevOps Team 2020-09-29 22:01:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13114
Comment 6 errata-xmlrpc 2020-11-04 03:43:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766