Description of problem: Victor Stinner identified an interger overflow that might result into buffer overflow in libexif/exif-data.c:exif_data_load_data_entry(). Additional info: http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272 http://sourceforge.net/project/shownotes.php?release_id=507447 The commit message states, that other similar issues had been solved.
The problem results in possible overflow in memcpy() call, so should be caught by _FORTIFY_SOURCE=2, therefore mitigating the possible arbitrary code execution to just a crash.
Created attachment 154677 [details] Reproducer for libexif integer overflow I was unable to reproduce it with this both on a 32 and 64 bit systems with gimp, gphoto2 and nautilus.
# repoquery --whatrequires --alldeps libexif gphoto2-0:2.2.0-2.1.i386 tracker-0:0.5.4-5.fc6.x86_64 libexif-0:0.6.13-2.x86_64 nautilus-0:2.16.2-7.fc6.x86_64 xsane-gimp-0:0.994-2.fc6.x86_64 fbida-0:2.06-3.fc6.x86_64 libkexif-0:0.2.4-3.fc6.x86_64 gnome-screensaver-0:2.16.1-4.fc6.x86_64 gphoto2-0:2.3.1-3.fc6.x86_64 gimp-2:2.2.13-1.fc6.x86_64 Thunar-0:0.8.0-1.fc6.x86_64 showimg-0:0.9.5-12.fc6.x86_64 gphoto2-0:2.3.1-3.fc6.i386 nautilus-0:2.16.0-5.fc6.x86_64 ufraw-gimp-0:0.11-3.fc6.x86_64 ufraw-0:0.11-3.fc6.x86_64 gimp-2:2.2.14-5.fc6.x86_64 gnome-commander-0:1.2.3-5.fc6.x86_64 eog-0:2.16.3-1.fc6.x86_64 libexif-0:0.6.13-2.i386 gphoto2-0:2.2.0-2.1.x86_64 libexif-devel-0:0.6.13-2.x86_64 gthumb-0:2.7.8-3.fc6.x86_64 eog-0:2.16.0.1-2.fc6.x86_64 libexif-devel-0:0.6.13-2.i386 koffice-krita-0:1.6.2-3.fc6.1.x86_64 tracker-0:0.5.4-4.fc6.x86_64 xsane-0:0.994-2.fc6.x86_64 gnome-screensaver-0:2.16.0-7.fc6.x86_64 #
No other similar issues were found and fixed in the release, according to output of cvs diff -D20070510 -rlibexif-0_6_14-release
Created attachment 154678 [details] Fix for libexif integer overflow Extracted from upstream CVS. Applies against FC-5, FC-6, RHEL-4, RHEL-5
Created attachment 155358 [details] Minimal testcase, currently segfaults
This flaw will not be caught by _FORTIFY_SOURCE=2 See this message: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html This usage of memcpy is as such: /* 4) Not known if correct, not checkable at runtime. The compiler doesn't know the buffer size, no checking is done. Overflows will go undetected in these cases. */ This flaw is not exploitable to be anything other than a crash. The problem is that the code execute this line: memcpy (entry->data, d + doff, s); As we can from gdb: (gdb) print entry->data $8 = (unsigned char *) 0x8eca498 "" (gdb) print d $9 = (const unsigned char *) 0x8eca1c6 "MM" (gdb) print doff $10 = 4294901874 (gdb) print s $11 = 65535 (gdb) print d+doff $12 = (const unsigned char *) 0x8eba238 <Address 0x8eba238 out of bounds> d+doff is an OOB memory address, which means this bug crashes due to a bad read, which cannot be exploited.
NVD statment for this issue has been published: Red Hat does not consider this flaw to have security consequences. Fedora packages were update to fixed upstream version, which among other fixes introduced fix for this issue: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0003