Bug 837956
Summary: | libexif security vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | danf |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | rhughes, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-06 15:24:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 839036 |
Description
danf
2012-07-05 22:22:02 UTC
These are the CVEs fixed in version 0.6.21 of libexif, which is currently planned for July 10. CVE-2012-2812: A heap-based out-of-bounds array read in the exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags. CVE-2012-2813: A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags. Additionally, an off-by-one error in the same function allows remote attackers to possibly execute arbitrary code. CVE-2012-2814: A buffer overflow in the exif_entry_format_value function in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags. CVE-2012-2836: A heap-based out-of-bounds array read in the exif_data_load_data function in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags. CVE-2012-2837: A divide-by-zero error in the mnote_olympus_entry_get_value function while formatting EXIF maker note tags in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service via an image with crafted EXIF tags. A new CVE has been assigned which splits the off-by-one error mentioned above for CVE-2012-2813 into its own identifier, CVE-2012-2840. A separate issue was also found that has a new identifier, CVE-2012-2841. CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags. CVE-2012-2841: An integer underflow in the exif_entry_get_value function can cause a heap overflow and potentially arbitrary code execution while formatting an EXIF tag, if the function is called with a buffer size parameter equal to zero or one. Due to the recent churn, I'm going to hold off on releasing a new version today and aim for tomorrow. libexif and exif 0.6.21 has now been released, and these issues are now in the public domain. Relevant links are available from http://libexif.sf.net/ Version 0.6.21 should be a drop-in replacement for 0.6.20. One more issue was discovered yesterday that is included in the exif release: CVE-2012-2845: An integer overflow in the function jpeg_data_load_data in the exif program could cause a data read beyond the end of a buffer, causing an application crash or leakage of potentially sensitive information when parsing a crafted JPEG file. Since the issues are now public, I've just checked in to the libexif-testsuite repository some corrupted images that can be used to help validate several of the vulnerabilities. Note that some of the images require valgrind or similar memory checking framework to detect problems, and some (all?) will only show problems on 64-bit architectures. Closing this as there are separate bugs for each CVE: CVE-2012-2812 - bug #839203 CVE-2012-2813 - bug #839182 CVE-2012-2814 - bug #839183 CVE-2012-2836 - bug #839184 CVE-2012-2837 - bug #839185 CVE-2012-2840 - bug #839188 CVE-2012-2841 - bug #839189 CVE-2012-2845 - bug #840002 |