In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. References: https://source.android.com/security/bulletin/pixel/2020-06-01 https://android.googlesource.com/platform/external/libexif/+/f6c54954cbfc25eb73d2d2902f0597c0220174a4
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1847132]
Technical Summary: There are several integer overflow possibilities in the size calculations performed on the thumbnail size, thumbnail offset, and/or data buffer size in the exif_data_load_data_thumbnail() function of libexif/exif-data.c. A crafted input file could trigger a memset on invalid memory and cause an out-of-bounds write, leading to denial of service. The routine does check for integer overflow conditions, but it does so in an ineffective way, as the checks themselves could be bypassed with integer overflows. The code patch uses containers which are twice the size of the variables under test to validate the appropriate size calculations and perform the checks.
Note: There's a different patch upstream here from the Android one: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c . The one listed by gsuckevi was only applied to the Android fork. This patch uses similar semantics to other integer overflow checks patched upstream. There is not yet a fixed-in version released but will likely be 0.6.23.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-0181
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766