libexif 0.6.21 and exif 0.6.21 were released to fix various overflows and related issues.

Bug #1024213 reported by Karma Dorje
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libexif (Ubuntu)
Undecided
Unassigned
libexif (openSUSE)
Fix Released
High

Bug Description

libexif project security advisory
July 12, 2012

PROBLEM DESCRIPTION

A number of remotely exploitable issues were discovered in libexif
and exif, with effects ranging from information leakage to potential
remote code execution. The issues are:

CVE-2012-2812: A heap-based out-of-bounds array read in the
exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20
and earlier allows remote attackers to cause a denial of service or
possibly obtain potentially sensitive information from process memory
via an image with crafted EXIF tags.

CVE-2012-2813: A heap-based out-of-bounds array read in the
exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif
0.6.20 and earlier allows remote attackers to cause a denial of service
or possibly obtain potentially sensitive information from process
memory via an image with crafted EXIF tags.

CVE-2012-2814: A buffer overflow in the exif_entry_format_value function
in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via an
image with crafted EXIF tags.

CVE-2012-2836: A heap-based out-of-bounds array read in the
exif_data_load_data function in libexif 0.6.20 and earlier allows remote
attackers to cause a denial of service or possibly obtain potentially
sensitive information from process memory via an image with crafted
EXIF tags.

CVE-2012-2837: A divide-by-zero error in the
mnote_olympus_entry_get_value function while formatting EXIF maker note
tags in libexif 0.6.20 and earlier allows remote attackers to cause a
denial of service via an image with crafted EXIF tags.

CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly execute
arbitrary code via an image with crafted EXIF tags.

CVE-2012-2841: An integer underflow in the exif_entry_get_value function
can cause a heap overflow and potentially arbitrary code execution while
formatting an EXIF tag, if the function is called with a buffer size
parameter equal to zero or one.

CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file.

There are no known public exploits of these issues.

AFFECTED VERSIONS

All of the described vulnerabilities affect libexif
version 0.6.20, and most affect earlier versions as well.

SOLUTION

Upgrade to version 0.6.21 which is not vulnerable to
these issues.

CHECKSUMS

Here are the MD5 sums of the released files:

0e744471b8c3b3b1534d5af38bbf6408 exif-0.6.21.tar.bz2
78b9f501fc19c6690ebd655385cd5ad6 exif-0.6.21.tar.gz
27339b89850f28c8f1c237f233e05b27 libexif-0.6.21.tar.bz2
9321c409a3e588d4a99d63063ef4bbb7 libexif-0.6.21.tar.gz
aa208b40c853792ba57fbdc1eafcdc95 libexif-0.6.21.zip

Here are the SHA1 sums of the released files:

74652e3d04d0faf9ab856949d7463988f0394db8 exif-0.6.21.tar.bz2
d23139d26226b70c66d035bbc64482792c9f1101 exif-0.6.21.tar.gz
a52219b12dbc8d33fc096468591170fda71316c0 libexif-0.6.21.tar.bz2
4106f02eb5f075da4594769b04c87f59e9f3b931 libexif-0.6.21.tar.gz
e5990860e9ec5a6aedde0552507a583afa989ca2 libexif-0.6.21.zip

ACKNOWLEDGEMENTS

Mateusz Jurczyk of Google Security Team reported the issues
CVE-2012-2812, CVE-2012-2813 and CVE-2012-2814. Yunho Kim reported the
issues CVE-2012-2836 and CVE-2012-2837. Dan Fandrich discovered the
issues CVE-2012-2840, CVE-2012-2841 and CVE-2012-2845.

REFERENCES

http://libexif.sf.net

Revision history for this message
In , Meissner-i (meissner-i) wrote :

via cvs commits

* Fixed bug that caused read past the end of a buffer (CVE-2012-2845)

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498451)
CVE-2012-2845.patch

as applied by Dan

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498453)
CVE-2012-2814.patch

CVE-2012-2814

Fixed some buffer overflows in exif_entry_format_value()

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498454)
CVE-2012-2840.patch

CVE-2012-2840

Fixed an off-by-one error in exif_convert_utf16_to_utf8()
This can cause a one-byte NUL write past the end of the buffer.

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498455)
CVE-2012-2813.patch

CVE-2012-2813

Don't read past the end of a tag when converting from UTF-16

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498456)
CVE-2012-2812.patch

CVE-2012-2812

Fixed an out of bounds read on corrupted input.
The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not,
NUL-terminated.

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498457)
CVE-2012-2841.patch

CVE-2012-2841

Fixed a buffer overflow problem in exif_entry_get_value
If the application passed in a buffer length of 0, then it would
be treated as the buffer had unlimited length.

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498458)
CVE-2012-2836.patch

CVE-2012-2836

Fix a buffer overflow on corrupt EXIF data.
This fixes bug #3434540 and fixes part of CVE-2012-2836

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498459)
CVE-2012-2836-2.patch

CVE-2012-2836

Fix a buffer overflow on corrupted JPEG data
An unsigned data length might wrap around when decremented
below zero, bypassing sanity checks on length.
This code path can probably only occur if exif_data_load_data()
is called directly by the application on data that wasn't parsed
by libexif itself.
This solves the other part of CVE-2012-2836

Revision history for this message
In , Meissner-i (meissner-i) wrote :

Created an attachment (id=498460)
CVE-2012-2837.patch

CVE-2012-2837

Fixed some possible division-by-zeros in Olympus-style makernotes
This fixes bug #3434545, a.k.a. CVE-2012-2837

Revision history for this message
In , Meissner-i (meissner-i) wrote :

CVE-2012-2845 is actually for "exif", the commandline tool. Not the library libexif.

The others are for the library.

Revision history for this message
In , Meissner-i (meissner-i) wrote :

libexif/ChangeLog:

2012-07-12 Dan Fandrich <email address hidden>

       * Fixed some buffer overflows in exif_entry_format_value()
         This fixes CVE-2012-2814. Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed an off-by-one error in exif_convert_utf16_to_utf8()
         This can cause a one-byte NUL write past the end of the buffer.
         This fixes CVE-2012-2840
       * Don't read past the end of a tag when converting from UTF-16
         This fixes CVE-2012-2813. Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed an out of bounds read on corrupted input
         The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not,
         NUL-terminated.
         This fixes CVE-2012-2812. Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed a buffer overflow problem in exif_entry_get_value
         If the application passed in a buffer length of 0, then it would
         be treated as the buffer had unlimited length.
         This fixes CVE-2012-2841
       * Fix a buffer overflow on corrupt EXIF data.
         This fixes bug #3434540 and fixes part of CVE-2012-2836
         Reported by Yunho Kim
       * Fix a buffer overflow on corrupted JPEG data
         An unsigned data length might wrap around when decremented
         below zero, bypassing sanity checks on length.
         This code path can probably only occur if exif_data_load_data()
         is called directly by the application on data that wasn't parsed
         by libexif itself.
         This solves the other part of CVE-2012-2836
       * Fixed some possible division-by-zeros in Olympus-style makernotes
         This fixes bug #3434545, a.k.a. CVE-2012-2837
         Reported by Yunho Kim

Revision history for this message
In , Swamp-a (swamp-a) wrote :

bugbot adjusting priority

Karma Dorje (taaroa)
visibility: private → public
Revision history for this message
In , Swamp-a (swamp-a) wrote :

The SWAMPID for this issue is 48261.
This issue was rated as important.
Please submit fixed packages until 2012-07-20.
When done, please reassign the bug to <email address hidden>.
Patchinfo will be handled by security team.

Changed in libexif (openSUSE):
importance: Unknown → High
status: Unknown → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libexif (Ubuntu):
status: New → Confirmed
Revision history for this message
In , Swamp-a (swamp-a) wrote :

Update released for: libexif, libexif-32bit, libexif-debuginfo, libexif-debuginfo-32bit, libexif-debuginfo-x86, libexif-debugsource, libexif-devel, libexif-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Revision history for this message
In , Swamp-a (swamp-a) wrote :

Update released for: libexif
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Revision history for this message
In , F-krahmer (f-krahmer) wrote :

done, only opensuse left

Revision history for this message
In , Swamp-a (swamp-a) wrote :

Update released for: libexif
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libexif - 0.6.16-2.1ubuntu0.2

---------------
libexif (0.6.16-2.1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible info disclosure via
    corrupted EXIF_TAG_COPYRIGHT tag (LP: #1024213)
    - debian/patches/CVE-2012-2812.dpatch: fix reading tags that aren't
      NUL-terminated in libexif/exif-entry.c.
    - CVE-2012-2812
  * SECURITY UPDATE: denial of service and possible info disclosure via
    UTF-16 tag (LP: #1024213)
    - debian/patches/CVE-2012-2813.dpatch: don't read past the end of a
      tag when converting from UTF-16 in libexif/exif-entry.c.
    - CVE-2012-2813
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted tags (LP: #1024213)
    - debian/patches/CVE-2012-2814.dpatch: fix buffer overflows in
      libexif/exif-entry.c.
    - CVE-2012-2814
  * SECURITY UPDATE: denial of service and possible info disclosure via
    crafted tags (LP: #1024213)
    - debian/patches/CVE-2012-2836.dpatch: fix buffer overflows in
      libexif/exif-data.c
    - CVE-2012-2836
  * SECURITY UPDATE: denial of service via crafted tags (LP: #1024213)
    - debian/patches/CVE-2012-2837.dpatch: fix some possible
      division-by-zeros in libexif/olympus/mnote-olympus-entry.c.
    - CVE-2012-2837
  * SECURITY UPDATE: denial of service and possible code execution via
    crafted tags (LP: #1024213)
    - debian/patches/CVE-2012-2840.dpatch: fix off-by-one in
      libexif/exif-utils.c.
    - CVE-2012-2840
  * SECURITY UPDATE: denial of service and possible code execution via
    incorrect buffer size (LP: #1024213)
    - debian/patches/CVE-2012-2841.dpatch: validate buffer length in
      libexif/exif-entry.c.
    - CVE-2012-2841
 -- Marc Deslauriers <email address hidden> Thu, 19 Jul 2012 14:46:59 -0400

Changed in libexif (Ubuntu):
status: Confirmed → Fix Released
Changed in libexif (openSUSE):
status: Confirmed → Fix Released
Revision history for this message
In , Swamp-a (swamp-a) wrote :

openSUSE-SU-2012:0914-1: An update that fixes 7 vulnerabilities is now available.

Category: security (low)
Bug References: 771229
CVE References: CVE-2012-2812,CVE-2012-2813,CVE-2012-2814,CVE-2012-2836,CVE-2012-2837,CVE-2012-2840,CVE-2012-2841
Sources used:
openSUSE 12.1 (src): libexif-0.6.20-10.4.1
openSUSE 11.4 (src): libexif-0.6.20-10.1

Revision history for this message
In , Bwiedemann (bwiedemann) wrote :

This is an autogenerated message for OBS integration:
This bug (771229) was mentioned in
https://build.opensuse.org/request/show/129342 Evergreen:11.2 / libexif
https://build.opensuse.org/request/show/129344 Evergreen:11.2 / libexif

Revision history for this message
In , Bwiedemann (bwiedemann) wrote :

This is an autogenerated message for OBS integration:
This bug (771229) was mentioned in
https://build.opensuse.org/request/show/129664 Evergreen:11.2 / libexif

Revision history for this message
In , Meissner-i (meissner-i) wrote :

closed

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.