Debian Bug report logs - #681454
libexif: Overflow security vulnerabilities (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841, CVE-2012-2845)

version graph

Package: libexif; Maintainer for libexif is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Fri, 13 Jul 2012 10:24:03 UTC

Severity: grave

Tags: security

Found in version 0.6.19-1

Fixed in version libexif/0.6.20-3

Done: Emmanuel Bouthenot <kolter@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681454; Package libexif. (Fri, 13 Jul 2012 10:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Fri, 13 Jul 2012 10:24:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: libexif: Overflow security vulnerabilities (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841, CVE-2012-2845)
Date: Fri, 13 Jul 2012 13:02:34 +0300
Package: libexif
Version: 0.6.19-1
Severity: important
Tags: security

Please fix these issues in unstable with isolated fixes instead of updating to a new upstream release as the freeze is in effect. Please contact me in case you need testing or verification.

Details from http://www.openwall.com/lists/oss-security/2012/07/13/2 attachment.

A number of remotely exploitable issues were discovered in libexif
and exif, with effects ranging from information leakage to potential
remote code execution. The issues are:

CVE-2012-2812: A heap-based out-of-bounds array read in the
exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20
and earlier allows remote attackers to cause a denial of service or
possibly obtain potentially sensitive information from process memory
via an image with crafted EXIF tags.

CVE-2012-2813: A heap-based out-of-bounds array read in the
exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif
0.6.20 and earlier allows remote attackers to cause a denial of service
or possibly obtain potentially sensitive information from process
memory via an image with crafted EXIF tags.

CVE-2012-2814: A buffer overflow in the exif_entry_format_value function
in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via an
image with crafted EXIF tags.

CVE-2012-2836: A heap-based out-of-bounds array read in the
exif_data_load_data function in libexif 0.6.20 and earlier allows remote
attackers to cause a denial of service or possibly obtain potentially
sensitive information from process memory via an image with crafted
EXIF tags.

CVE-2012-2837: A divide-by-zero error in the
mnote_olympus_entry_get_value function while formatting EXIF maker note
tags in libexif 0.6.20 and earlier allows remote attackers to cause a
denial of service via an image with crafted EXIF tags.

CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly execute
arbitrary code via an image with crafted EXIF tags. 

CVE-2012-2841: An integer underflow in the exif_entry_get_value function
can cause a heap overflow and potentially arbitrary code execution while
formatting an EXIF tag, if the function is called with a buffer size
parameter equal to zero or one.

CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file.

There are no known public exploits of these issues.

AFFECTED VERSIONS

All of the described vulnerabilities affect libexif
version 0.6.20, and most affect earlier versions as well.

SOLUTION

Upgrade to version 0.6.21 which is not vulnerable to
these issues.

CHECKSUMS

Here are the MD5 sums of the released files:

0e744471b8c3b3b1534d5af38bbf6408  exif-0.6.21.tar.bz2
78b9f501fc19c6690ebd655385cd5ad6  exif-0.6.21.tar.gz
27339b89850f28c8f1c237f233e05b27  libexif-0.6.21.tar.bz2
9321c409a3e588d4a99d63063ef4bbb7  libexif-0.6.21.tar.gz
aa208b40c853792ba57fbdc1eafcdc95  libexif-0.6.21.zip

Here are the SHA1 sums of the released files:

74652e3d04d0faf9ab856949d7463988f0394db8  exif-0.6.21.tar.bz2
d23139d26226b70c66d035bbc64482792c9f1101  exif-0.6.21.tar.gz
a52219b12dbc8d33fc096468591170fda71316c0  libexif-0.6.21.tar.bz2
4106f02eb5f075da4594769b04c87f59e9f3b931  libexif-0.6.21.tar.gz
e5990860e9ec5a6aedde0552507a583afa989ca2  libexif-0.6.21.zip

ACKNOWLEDGEMENTS

Mateusz Jurczyk of Google Security Team reported the issues
CVE-2012-2812, CVE-2012-2813 and CVE-2012-2814. Yunho Kim reported the
issues CVE-2012-2836 and CVE-2012-2837. Dan Fandrich discovered the
issues CVE-2012-2840, CVE-2012-2841 and CVE-2012-2845.

REFERENCES
http://libexif.sf.net

- Henri Salo




Severity set to 'grave' from 'important' Request was from Touko Korpela <touko.korpela@iki.fi> to control@bugs.debian.org. (Tue, 17 Jul 2012 17:09:05 GMT) Full text and rfc822 format available.

Reply sent to Emmanuel Bouthenot <kolter@debian.org>:
You have taken responsibility. (Tue, 17 Jul 2012 21:06:03 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 17 Jul 2012 21:06:04 GMT) Full text and rfc822 format available.

Message #12 received at 681454-close@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@debian.org>
To: 681454-close@bugs.debian.org
Subject: Bug#681454: fixed in libexif 0.6.20-3
Date: Tue, 17 Jul 2012 21:03:20 +0000
Source: libexif
Source-Version: 0.6.20-3

We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kolter@debian.org> (supplier of updated libexif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Jul 2012 19:05:20 +0000
Source: libexif
Binary: libexif-dev libexif12
Architecture: source amd64
Version: 0.6.20-3
Distribution: unstable
Urgency: high
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Emmanuel Bouthenot <kolter@debian.org>
Description: 
 libexif-dev - library to parse EXIF files (development files)
 libexif12  - library to parse EXIF files
Closes: 681454
Changes: 
 libexif (0.6.20-3) unstable; urgency=high
 .
   * Add patches to fix multiples security issues: CVE-2012-2814,
     CVE-2012-2840, CVE-2012-2813, CVE-2012-2812, CVE-2012-2841,
     CVE-2012-2836, CVE-2012-2837 (Closes: #681454).
Checksums-Sha1: 
 5b525bcbda1df1940af39e6f59327bdfe3e2d010 2064 libexif_0.6.20-3.dsc
 ec4793f093fc32ac3f8273125a857fa8c18baaf5 14066 libexif_0.6.20-3.debian.tar.gz
 ee14d33c7259f840bfd28623530b702cb8d8a917 408238 libexif-dev_0.6.20-3_amd64.deb
 f9e5e5a738dcffff1a2d15fadbe92ad552e94e47 584268 libexif12_0.6.20-3_amd64.deb
Checksums-Sha256: 
 02bcb26b122ad7bca4e944609db7d7c6728d7e1232b63f9d8aa97dd43efb6ac7 2064 libexif_0.6.20-3.dsc
 2d5caa9c400b714054dd0c9cb4b69682f21b1c3f337195f82f171ca086242da1 14066 libexif_0.6.20-3.debian.tar.gz
 dc8f0193ccdf27637d389e72f064ed82f7bc4022919e50134c0f9335836ff11a 408238 libexif-dev_0.6.20-3_amd64.deb
 b0cd98be65093d96ea67d03b15574fda04b43febc18d93b39d33216bc15ecf09 584268 libexif12_0.6.20-3_amd64.deb
Files: 
 c988cccc711538f685d798e18adada42 2064 libs optional libexif_0.6.20-3.dsc
 83750e122eaa71f7444fd68c17f39987 14066 libs optional libexif_0.6.20-3.debian.tar.gz
 0b897da39f212234561b3c495f0e7f3e 408238 libdevel optional libexif-dev_0.6.20-3_amd64.deb
 2c4506d21aa8782b1b266ccd3e637f1d 584268 libs optional libexif12_0.6.20-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQBc5tAAoJEEsHdyOSnULDrmkP/jEKngjOzWGSPNzQebYYB9IF
f1mMjnr9N5PyoG/OpwU7xxcoU1ocMT0jjgZRYFbVOO7/PFYMllOE+rArRLEofxt4
N0AUCXvQTf6/UDJfjFHAF6ZgyZCDxuX3yWoJ8G0eh4wFJqxttlDImwWnIQ+hsuYB
8HkNp78Up0X7J9oPTVdGrt3gqgi6EsPyLTKy4NKm7s29am+RgpN7QrRv7K9awYjE
0xPE+7CTjW58EmARE/vtNak2dZVUUFCj6piW145JSyduK1JF/1TNS0x3JAWakPel
n5hYdN6N1FYctx9PHRMBuxrlzXn7dnV5ImTeHb6Qm2pZm7SYGgUuag74eu9+goAM
FNZsPPmtG73MqAN0k/HTrzoZuul9kXTF63p/ELOmFC1hiTXUWvPAbFga25q6avDD
Tzube7q8GiMPowr87x/IQz6v/PtaLYgeN0BK/+W8/P7dQkcvnayjoFWFKfFBeCkj
eMn0PDLqs3rgEzcvhRLzvaXvSBPMrnQSbkElp21a5MYEuDPdv8k2tVnyKOInNzks
tdm8duzGstpTJotIy/pxV8TT76MThvSy/nPSitP7gPI10KbWveSotCnnqOUD+Mm0
/Oc4MG69ukI1wXGcOpyFNO2hnFWBOAI6UX9IWf3hSHpw4FE5AtLRFFjAscTlmGL4
iB+D9enk0/Ryv+y9IfYg
=VeL1
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#681454; Package libexif. (Wed, 18 Jul 2012 12:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Wed, 18 Jul 2012 12:00:07 GMT) Full text and rfc822 format available.

Message #17 received at 681454@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 681454@bugs.debian.org
Subject: Re: libexif: Overflow security vulnerabilities (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841, CVE-2012-2845)
Date: Wed, 18 Jul 2012 11:15:02 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/681454/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:49:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:05:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.