Bug 1852487 (CVE-2020-0093)
Summary: | CVE-2020-0093 libexif: out of bounds read due to a missing bounds check in exif_data_save_data_entry function in exif-data.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ajax, caillon+fedoraproject, gnome-sig, john.j5live, rdieter, rhbugs, rhughes, rstrode, sandmann, thomasj, yselkowi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libexif 0.6.22 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 22:02:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1852489, 1853107, 1853108 | ||
Bug Blocks: | 1852493 |
Description
Guilherme de Almeida Suckevicz
2020-06-30 14:22:07 UTC
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1852489] Technical Summary: In exif_data_save_data_entry(), data is copied using memcpy(), from e->data, using a size computation that relies on the standard format size multiplied by the number of components. In the case where the actual entry size (e->size) was smaller than this computed value, there could be a buffer overread that would leak out-of-bounds data into an EXIF entry. The patch ensures that the length passed to memcpy() cannot exceed the actual entry size. FYI the upstream patch is identical to the Android fork patch in this case: https://github.com/libexif/libexif/commit/5ae5973bed1947f4d447dc80b76d5cefadd90133 . This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-0093 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766 |