Bug 1840344 (CVE-2020-13112) - CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS
Summary: CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1840345 1840948 1840949 1840950 1840951 1840952 1840953 1847075
Blocks: 1840352
TreeView+ depends on / blocked
 
Reported: 2020-05-26 18:41 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-08-04 12:27 UTC (History)
13 users (show)

Fixed In Version: libexif 0.6.22
Doc Type: If docs needed, set a value
Doc Text:
A heap-buffer out-of-bounds read flaw was found in libexif's MakerNote tag parser. This flaw allows an unauthenticated attacker or authenticated attacker with low privileges to exploit the flaw remotely in an application that uses libexif to process EXIF data from media files if the file upload is allowed. An attacker could create a specially crafted image file that, when processed by libexif, would cause the application to crash or, potentially expose data from the application's memory. This attack leads to a denial of service or a memory information leak that could assist in further exploitation.
Clone Of:
Environment:
Last Closed: 2020-06-10 11:20:36 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2474 0 None None None 2020-06-10 09:25:57 UTC
Red Hat Product Errata RHSA-2020:2516 0 None None None 2020-06-10 23:15:11 UTC
Red Hat Product Errata RHSA-2020:2549 0 None None None 2020-06-15 13:07:25 UTC
Red Hat Product Errata RHSA-2020:2550 0 None None None 2020-06-15 12:58:54 UTC
Red Hat Product Errata RHSA-2020:2672 0 None None None 2020-06-23 13:07:16 UTC

Description Guilherme de Almeida Suckevicz 2020-05-26 18:41:59 UTC 
An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.

Reference and upstream commit:
https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1
Comment 1 Guilherme de Almeida Suckevicz 2020-05-26 18:42:18 UTC 
Created libexif tracking bugs for this issue:

Affects: fedora-all [bug 1840345]
Comment 2 Todd Cullum 2020-05-28 00:09:11 UTC 
====Technical Summary====

The libexif library parses an EXIF tag called a MakerNote. According to the EXIF standard[1], a MakerNote tag can hold manufacturer-specific data from camera manufacturers such as Nikon, Olympus, Canon, Panasonic, etc... The vulnerable component for this flaw is in the parsing code for the MakerNotes specific to Canon, Fujifilm, Olympus, and Pentax. More precisely, the parsing code was able to read in MakerNote tag data past the end of the input buffer due to either integer overflow in multiplication, or corrupt MakerNote tags which were too short or too long. The patch (see gsuckevi's comment above) appears to check for integer overflow due to multiplication and also verify that the MakerNote tag being parsed matches the size specified in the entry structure's "components" member, as each tag can have multiple components within it. On the patch commit, Upstream notes that "Likely, this makes both commits 41bd042 and 89e5b1c redundant as it ensures that MakerNote entries are well-formed when they're populated," because those earlier commits addressed the issues on a per-component basis, whereas the patch for this flaw addresses them in the parser and is likely more robust.

In summary, this flaw could be exploited if an attacker edits EXIF data in a media file to include malformed MakerNote tag data, which would cause the libexif MakerNote tag parser to perform and out-of-bounds read, potentially exposing unintended data in the process memory or causing a crash, resulting in denial of service.

1. https://www.exif.org/Exif2-2.PDF
Comment 6 errata-xmlrpc 2020-06-10 09:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2474 https://access.redhat.com/errata/RHSA-2020:2474
Comment 7 Product Security DevOps Team 2020-06-10 11:20:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13112
Comment 8 errata-xmlrpc 2020-06-10 23:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2516 https://access.redhat.com/errata/RHSA-2020:2516
Comment 9 errata-xmlrpc 2020-06-15 12:58:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2550 https://access.redhat.com/errata/RHSA-2020:2550
Comment 10 errata-xmlrpc 2020-06-15 13:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2549 https://access.redhat.com/errata/RHSA-2020:2549
Comment 12 errata-xmlrpc 2020-06-23 13:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2672 https://access.redhat.com/errata/RHSA-2020:2672
Note You need to log in before you can comment on or make changes to this bug.