Bug 240055 - (CVE-2007-2645) CVE-2007-2645 Interger overflow in libexif
CVE-2007-2645 Interger overflow in libexif
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.frsirt.com/english/advisor...
source=gentoo,reported=20070511,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-14 13:56 EDT by Lubomir Kundrak
Modified: 2008-01-15 12:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-15 12:11:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Reproducer for libexif integer overflow (9.83 KB, application/binary)
2007-05-14 14:05 EDT, Lubomir Kundrak
no flags Details
Fix for libexif integer overflow (662 bytes, patch)
2007-05-14 14:38 EDT, Lubomir Kundrak
no flags Details | Diff
Minimal testcase, currently segfaults (5.57 KB, application/x-gzip)
2007-05-24 11:46 EDT, Josh Bressers
no flags Details

  None (edit)
Description Lubomir Kundrak 2007-05-14 13:56:50 EDT
Description of problem:

Victor Stinner identified an interger overflow that might result into
buffer overflow in libexif/exif-data.c:exif_data_load_data_entry().

Additional info:

http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272
http://sourceforge.net/project/shownotes.php?release_id=507447

The commit message states, that other similar issues had been solved.
Comment 1 Lubomir Kundrak 2007-05-14 14:00:25 EDT
The problem results in possible overflow in memcpy() call, so should be caught
by _FORTIFY_SOURCE=2, therefore mitigating the possible arbitrary code execution
to just a crash.
Comment 2 Lubomir Kundrak 2007-05-14 14:05:09 EDT
Created attachment 154677 [details]
Reproducer for libexif integer overflow

I was unable to reproduce it with this both on a 32 and 64 bit systems with
gimp, gphoto2 and nautilus.
Comment 3 Lubomir Kundrak 2007-05-14 14:08:49 EDT
# repoquery --whatrequires --alldeps libexif
gphoto2-0:2.2.0-2.1.i386
tracker-0:0.5.4-5.fc6.x86_64
libexif-0:0.6.13-2.x86_64
nautilus-0:2.16.2-7.fc6.x86_64
xsane-gimp-0:0.994-2.fc6.x86_64
fbida-0:2.06-3.fc6.x86_64
libkexif-0:0.2.4-3.fc6.x86_64
gnome-screensaver-0:2.16.1-4.fc6.x86_64
gphoto2-0:2.3.1-3.fc6.x86_64
gimp-2:2.2.13-1.fc6.x86_64
Thunar-0:0.8.0-1.fc6.x86_64
showimg-0:0.9.5-12.fc6.x86_64
gphoto2-0:2.3.1-3.fc6.i386
nautilus-0:2.16.0-5.fc6.x86_64
ufraw-gimp-0:0.11-3.fc6.x86_64
ufraw-0:0.11-3.fc6.x86_64
gimp-2:2.2.14-5.fc6.x86_64
gnome-commander-0:1.2.3-5.fc6.x86_64
eog-0:2.16.3-1.fc6.x86_64
libexif-0:0.6.13-2.i386
gphoto2-0:2.2.0-2.1.x86_64
libexif-devel-0:0.6.13-2.x86_64
gthumb-0:2.7.8-3.fc6.x86_64
eog-0:2.16.0.1-2.fc6.x86_64
libexif-devel-0:0.6.13-2.i386
koffice-krita-0:1.6.2-3.fc6.1.x86_64
tracker-0:0.5.4-4.fc6.x86_64
xsane-0:0.994-2.fc6.x86_64
gnome-screensaver-0:2.16.0-7.fc6.x86_64
#
Comment 4 Lubomir Kundrak 2007-05-14 14:29:47 EDT
No other similar issues were found and fixed in the release, according to output
of cvs diff -D20070510 -rlibexif-0_6_14-release
Comment 5 Lubomir Kundrak 2007-05-14 14:38:03 EDT
Created attachment 154678 [details]
Fix for libexif integer overflow

Extracted from upstream CVS.
Applies against FC-5, FC-6, RHEL-4, RHEL-5
Comment 6 Josh Bressers 2007-05-24 11:46:17 EDT
Created attachment 155358 [details]
Minimal testcase, currently segfaults
Comment 7 Josh Bressers 2007-05-24 13:33:39 EDT
This flaw will not be caught by _FORTIFY_SOURCE=2  See this message:
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

This usage of memcpy is as such:
/* 4) Not known if correct, not checkable at runtime.
      The compiler doesn't know the buffer size, no checking
      is done.  Overflows will go undetected in these cases.  */

This flaw is not exploitable to be anything other than a crash.  The problem is
that the code execute this line:

    memcpy (entry->data, d + doff, s);

As we can from gdb:
    (gdb) print entry->data
    $8 = (unsigned char *) 0x8eca498 ""
    (gdb) print d
    $9 = (const unsigned char *) 0x8eca1c6 "MM"
    (gdb) print doff
    $10 = 4294901874
    (gdb) print s
    $11 = 65535
    (gdb) print d+doff
    $12 = (const unsigned char *) 0x8eba238 <Address 0x8eba238 out of bounds>

d+doff is an OOB memory address, which means this bug crashes due to a bad read,
which cannot be exploited.
Comment 8 Tomas Hoger 2008-01-15 12:11:29 EST
NVD statment for this issue has been published:

  Red Hat does not consider this flaw to have security consequences.

Fedora packages were update to fixed upstream version, which among other fixes
introduced fix for this issue:

  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0003

Note You need to log in before you can comment on or make changes to this bug.