Bug 837956 - libexif security vulnerabilities
libexif security vulnerabilities
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 839036
  Show dependency treegraph
 
Reported: 2012-07-05 18:22 EDT by danf
Modified: 2012-09-06 11:24 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-06 11:24:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description danf 2012-07-05 18:22:02 EDT
libexif ver. 0.6.20 and earlier suffers from a number of newly-discovered security vulnerabilities. The details will be made public with a new release of libexif that fixes them, which is planned to be the second week of July. 

Very little has changed since version 0.6.20, so the new version should be a drop-in replacement. But, if you're interested in some advance testing, a prerelease version (that does NOT contain the security patches) is available at
http://sourceforge.net/projects/libexif/files/libexif/prerelease/libexif-0.6.21-pre1.tar.gz/download  This prerelease should otherwise be substantially similar to the final release.

I'll update this bug with CVE numbers and more details before the release.
Comment 3 danf 2012-07-09 16:40:40 EDT
These are the CVEs fixed in version 0.6.21 of libexif, which is currently planned for July 10.

CVE-2012-2812: A heap-based out-of-bounds array read in the exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

CVE-2012-2813: A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags. Additionally, an off-by-one error in the same function allows remote attackers to possibly execute arbitrary code.

CVE-2012-2814: A buffer overflow in the exif_entry_format_value function in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags.

CVE-2012-2836: A heap-based out-of-bounds array read in the exif_data_load_data function in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

CVE-2012-2837: A divide-by-zero error in the mnote_olympus_entry_get_value function while formatting EXIF maker note tags in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service via an image with crafted EXIF tags.
Comment 4 danf 2012-07-10 12:21:20 EDT
A new CVE has been assigned which splits the off-by-one error mentioned above for CVE-2012-2813 into its own identifier, CVE-2012-2840. A separate issue was also found that has a new identifier, CVE-2012-2841.

CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags. 

CVE-2012-2841: An integer underflow in the exif_entry_get_value function can cause a heap overflow and potentially arbitrary code execution while formatting an EXIF tag, if the function is called with a buffer size parameter equal to zero or one.

Due to the recent churn, I'm going to hold off on releasing a new version today and aim for tomorrow.
Comment 5 danf 2012-07-12 17:48:56 EDT
libexif and exif 0.6.21 has now been released, and these issues are now in the public domain. Relevant links are available from http://libexif.sf.net/ Version 0.6.21 should be a drop-in replacement for 0.6.20.

One more issue was discovered yesterday that is included in the exif release:

CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file.
Comment 6 danf 2012-07-13 11:25:30 EDT
Since the issues are now public, I've just checked in to the libexif-testsuite repository some corrupted images that can be used to help validate several of the vulnerabilities. Note that some of the images require valgrind or similar memory checking framework to detect problems, and some (all?) will only show problems on 64-bit architectures.

Note You need to log in before you can comment on or make changes to this bug.