Bug 51714 - libexif: Multiple issues (4.4)
libexif: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-22 15:03 CEST by Quality Assurance
Modified: 2020-07-29 16:50 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-07-22 15:03:05 CEST
New Debian libexif 0.6.21-2+deb9u4 fixes:
This update addresses the following issues:
* Integer overflow in parsing MNOTE entry data of the input file  (CVE-2016-6328)
* Out-of-bounds heap read in exif_data_save_data_entry function  (CVE-2017-7544)
* Input validation issue resulting in a denial of service (CVE-2018-20030)
* out of bounds read due to a missing bounds check in  exif_data_save_data_entry function in exif-data.c (CVE-2020-0093)
* out of bounds read due to a missing bounds check in exif_entry_get_value  function in exif-entry.c (CVE-2020-0182)
* integer overflow in exif_data_load_data_content function in exif-data.c  (CVE-2020-0198)
* divide-by-zero in exif_entry_get_value function in exif-entry.c  (CVE-2020-12767)
* several buffer over-reads in EXIF MakerNote handling can lead to  information disclosure and DoS (CVE-2020-13112)
* use of uninitialized memory in EXIF Makernote handling can lead to crashes  and use-after-free (CVE-2020-13113)
* unrestricted size in handling Canon EXIF MakerNote data can lead to  consumption of large amounts of compute time for decoding EXIF data  (CVE-2020-13114)
Comment 1 Quality Assurance univentionstaff 2020-07-23 13:16:53 CEST
--- mirror/ftp/4.4/unmaintained/4.4-4/source/libexif_0.6.21-2+deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/libexif_0.6.21-2+deb9u4.dsc
@@ -1,3 +1,40 @@
+0.6.21-2+deb9u4 [Wed, 24 Jun 2020 23:25:22 +1000] Hugh McMaster <hugh.mcmaster@outlook.com>:
+
+  * Add upstream patches to fix two security issues:
+    - Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182).
+    - Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198)
+      (Closes: #962345).
+
+0.6.21-2+deb9u3 [Mon, 25 May 2020 21:28:10 +1000] Hugh McMaster <hugh.mcmaster@outlook.com>:
+
+  * Add upstream patches to fix multiple security issues:
+    - cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
+      read time (CVE-2020-13112) (Closes: #961407).
+    - cve-2020-13113.patch: Ensure MakerNote data pointers are
+      NULL-initialized (CVE-2020-13113) (Closes: #961409).
+    - cve-2020-13114.patch: Add a failsafe on the maximum number of
+      Canon MakerNote subtags to catch extremely large values in tags
+      (CVE-2020-13114) (Closes: #961410).
+
+0.6.21-2+deb9u2 [Thu, 21 May 2020 11:22:40 +0200] Mike Gabriel <sunweaver@debian.org>:
+
+  [ Mike Gabriel ]
+  * Sponsored upload.
+  * debian/patches: trivial rebasing of several patches.
+
+  [ Hugh McMaster ]
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+    - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+      entry data of the input file (CVE-2016-6328) (Closes: #873022).
+    - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+      exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+    - cve-2018-20030.patch: Improve deep recursion detection in the function
+      exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+    - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+      in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+    - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
 0.6.21-2+deb9u1 [Sat, 01 Feb 2020 21:54:38 +0100] Salvatore Bonaccorso <carnil@debian.org>:
 
   * Non-maintainer upload by the Security Team.

<http://10.200.17.11/4.4-5/#555202617153888112>
Comment 2 Philipp Hahn univentionstaff 2020-07-23 16:37:48 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-5] 314a160e5a Bug #51714: libexif 0.6.21-2+deb9u4
 doc/errata/staging/libexif.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

[4.4-5] a5fd818740 Bug #51714: libexif 0.6.21-2+deb9u4
 doc/errata/staging/libexif.yaml | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)