Bug 837956

Summary: libexif security vulnerabilities
Product: [Other] Security Response Reporter: danf
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhughes, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-06 15:24:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 839036    

Description danf 2012-07-05 22:22:02 UTC 
libexif ver. 0.6.20 and earlier suffers from a number of newly-discovered security vulnerabilities. The details will be made public with a new release of libexif that fixes them, which is planned to be the second week of July. 

Very little has changed since version 0.6.20, so the new version should be a drop-in replacement. But, if you're interested in some advance testing, a prerelease version (that does NOT contain the security patches) is available at
http://sourceforge.net/projects/libexif/files/libexif/prerelease/libexif-0.6.21-pre1.tar.gz/download  This prerelease should otherwise be substantially similar to the final release.

I'll update this bug with CVE numbers and more details before the release.
Comment 3 danf 2012-07-09 20:40:40 UTC 
These are the CVEs fixed in version 0.6.21 of libexif, which is currently planned for July 10.

CVE-2012-2812: A heap-based out-of-bounds array read in the exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

CVE-2012-2813: A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags. Additionally, an off-by-one error in the same function allows remote attackers to possibly execute arbitrary code.

CVE-2012-2814: A buffer overflow in the exif_entry_format_value function in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags.

CVE-2012-2836: A heap-based out-of-bounds array read in the exif_data_load_data function in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

CVE-2012-2837: A divide-by-zero error in the mnote_olympus_entry_get_value function while formatting EXIF maker note tags in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service via an image with crafted EXIF tags.
Comment 4 danf 2012-07-10 16:21:20 UTC 
A new CVE has been assigned which splits the off-by-one error mentioned above for CVE-2012-2813 into its own identifier, CVE-2012-2840. A separate issue was also found that has a new identifier, CVE-2012-2841.

CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags. 

CVE-2012-2841: An integer underflow in the exif_entry_get_value function can cause a heap overflow and potentially arbitrary code execution while formatting an EXIF tag, if the function is called with a buffer size parameter equal to zero or one.

Due to the recent churn, I'm going to hold off on releasing a new version today and aim for tomorrow.
Comment 5 danf 2012-07-12 21:48:56 UTC 
libexif and exif 0.6.21 has now been released, and these issues are now in the public domain. Relevant links are available from http://libexif.sf.net/ Version 0.6.21 should be a drop-in replacement for 0.6.20.

One more issue was discovered yesterday that is included in the exif release:

CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file.
Comment 6 danf 2012-07-13 15:25:30 UTC 
Since the issues are now public, I've just checked in to the libexif-testsuite repository some corrupted images that can be used to help validate several of the vulnerabilities. Note that some of the images require valgrind or similar memory checking framework to detect problems, and some (all?) will only show problems on 64-bit architectures.
Comment 7 Tomas Hoger 2012-09-06 15:24:56 UTC 
Closing this as there are separate bugs for each CVE:

CVE-2012-2812 - bug #839203
CVE-2012-2813 - bug #839182
CVE-2012-2814 - bug #839183
CVE-2012-2836 - bug #839184
CVE-2012-2837 - bug #839185
CVE-2012-2840 - bug #839188
CVE-2012-2841 - bug #839189
CVE-2012-2845 - bug #840002