An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data. Reference and upstream commit: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
Created libexif tracking bugs for this issue: Affects: fedora-all [bug 1840351]
Technical Summary: In libexif/canon/exif-mnote-data-canon.c of libexif prior to 0.6.22, it is possible for an attacker to supply a specially crafted file which could cause the creation of extremely large tags, using excessive memory and causing a long loop, which could lead to denial of service. The vulnerable code is in the exif_mnote_data_canon_load() routine. The current patch in 0.6.22 keeps track of the size of tag data by making calls to mnote_canon_entry_count_values() during the loop, and bailing if it gets too large.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4040 https://access.redhat.com/errata/RHSA-2020:4040
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13114
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4766 https://access.redhat.com/errata/RHSA-2020:4766