Hide Forgot
An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions. Reference and upstream commit: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1840348]
Technical Summary: The libexif library parses an EXIF tag called a MakerNote. According to the EXIF standard[1], a MakerNote tag can hold manufacturer-specific data from camera manufacturers such as Nikon, Olympus, Canon, Panasonic, etc... the vulnerable libexif component parses these MakerNote tags into "entry" structures which can contain multiple "components." There is some code duplication in libexif, related parsing MakerNotes, so the same flaw is seen in 4 separate files: libexif/canon/exif-mnote-data-canon.c, libexif/fuji/exif-mnote-data-fuji.c, libexif/olympus/exif-mnote-data-olympus.c , and libexif/pentax/exif-mnote-data-pentax.c. Using the code in exif-mnote-data-canon.c as an example, MakerNote Entry memory was allocated with n->entries = exif_mem_alloc(ne->mem, sizeof (MnoteCanonEntry) * c) but the entries were not initialized to 0. This could cause the dereference of an uninitialized wild pointer when the entry's data member is accessed later in the program, for example, by the exif_mnote_data_canon_clear() routine, which attempts to free the entries. This could also lead to a use-after-free. The current upstream patch uses memset to zero-initialize entries memory after allocation. Exploitation of the flaw would require an attacker to provide crafted input within EXIF data and submit it to be parsed by libexif. In cases where libexif parses untrusted files, an attacker may be unauthenticated or have low privileges.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13113
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766