libexif 0.6.21 and exif 0.6.21 were released to fix various overflows and related issues.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libexif (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
libexif (openSUSE) |
Fix Released
|
High
|
Bug Description
libexif project security advisory
July 12, 2012
PROBLEM DESCRIPTION
A number of remotely exploitable issues were discovered in libexif
and exif, with effects ranging from information leakage to potential
remote code execution. The issues are:
CVE-2012-2812: A heap-based out-of-bounds array read in the
exif_entry_
and earlier allows remote attackers to cause a denial of service or
possibly obtain potentially sensitive information from process memory
via an image with crafted EXIF tags.
CVE-2012-2813: A heap-based out-of-bounds array read in the
exif_convert_
0.6.20 and earlier allows remote attackers to cause a denial of service
or possibly obtain potentially sensitive information from process
memory via an image with crafted EXIF tags.
CVE-2012-2814: A buffer overflow in the exif_entry_
in libexif/
cause a denial of service or possibly execute arbitrary code via an
image with crafted EXIF tags.
CVE-2012-2836: A heap-based out-of-bounds array read in the
exif_data_load_data function in libexif 0.6.20 and earlier allows remote
attackers to cause a denial of service or possibly obtain potentially
sensitive information from process memory via an image with crafted
EXIF tags.
CVE-2012-2837: A divide-by-zero error in the
mnote_olympus_
tags in libexif 0.6.20 and earlier allows remote attackers to cause a
denial of service via an image with crafted EXIF tags.
CVE-2012-2840: An off-by-one error in the exif_convert_
function in libexif/
remote attackers to cause a denial of service or possibly execute
arbitrary code via an image with crafted EXIF tags.
CVE-2012-2841: An integer underflow in the exif_entry_
can cause a heap overflow and potentially arbitrary code execution while
formatting an EXIF tag, if the function is called with a buffer size
parameter equal to zero or one.
CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file.
There are no known public exploits of these issues.
AFFECTED VERSIONS
All of the described vulnerabilities affect libexif
version 0.6.20, and most affect earlier versions as well.
SOLUTION
Upgrade to version 0.6.21 which is not vulnerable to
these issues.
CHECKSUMS
Here are the MD5 sums of the released files:
0e744471b8c3b3b
78b9f501fc19c66
27339b89850f28c
9321c409a3e588d
aa208b40c853792
Here are the SHA1 sums of the released files:
74652e3d04d0faf
d23139d26226b70
a52219b12dbc8d3
4106f02eb5f075d
e5990860e9ec5a6
ACKNOWLEDGEMENTS
Mateusz Jurczyk of Google Security Team reported the issues
CVE-2012-2812, CVE-2012-2813 and CVE-2012-2814. Yunho Kim reported the
issues CVE-2012-2836 and CVE-2012-2837. Dan Fandrich discovered the
issues CVE-2012-2840, CVE-2012-2841 and CVE-2012-2845.
REFERENCES
visibility: | private → public |
Changed in libexif (openSUSE): | |
importance: | Unknown → High |
status: | Unknown → Confirmed |
Changed in libexif (openSUSE): | |
status: | Confirmed → Fix Released |
via cvs commits
* Fixed bug that caused read past the end of a buffer (CVE-2012-2845)