In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. References: https://source.android.com/security/bulletin/2020-05-01 https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1852489]
Technical Summary: In exif_data_save_data_entry(), data is copied using memcpy(), from e->data, using a size computation that relies on the standard format size multiplied by the number of components. In the case where the actual entry size (e->size) was smaller than this computed value, there could be a buffer overread that would leak out-of-bounds data into an EXIF entry. The patch ensures that the length passed to memcpy() cannot exceed the actual entry size.
FYI the upstream patch is identical to the Android fork patch in this case: https://github.com/libexif/libexif/commit/5ae5973bed1947f4d447dc80b76d5cefadd90133 .
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-0093
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766