Bugzilla Bug 178081

Victor Stinner has reported a vulnerability in libexif, which can be exploited
by malicious people to cause a DoS and potentially compromise an application
using the library.

The vulnerability is caused due to an error within the handling of malformed
EXIF information. This can be exploited to crash an application using the
library and may allow execution of arbitrary code.

Solution:
Update to version 0.6.14.

setting status and cc'ing maintainer. Jeremy, please advise and bump as
necessary.

I'll look at this this evening

whoops didnt mean to change to new

0.6.14 was giving me headaches, but they just released 0.6.15 and the ebuild is
in portage now.  I haven't had much time to test, so archs please give it a
beating.  Make sure to test the crashing jpeg in this bug report:

http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272

Thx Jeremy. Arches please test and mark stable. Target keywords are:

libexif-0.6.15.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390
sh sparc x86 ~x86-fbsd"

ppc64 done

media-libs/libexif-0.6.15  USE="nls -doc"

Emerges and works on AMD64. Did however require a revdep-rebuild. 

Portage 2.1.2.7 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r2,
2.6.20-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r7 x86_64 Intel(R) Core(TM)2 CPU          6600  @
2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 25 May 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/
http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli
cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss
encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gnome gphoto2 gpm
gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++
lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses
nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds
pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell
spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode
vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451
als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938
es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

works fine on x86. digikam shows me exif information. One thing I've noticed is
that some doc files are installed in /usr/share/doc/libexif, while other in
/usr/share/doc/libexif-0.6.15/.

Jonas, which version were you coming from that it required the revdep-rebuild?

Upstream was incorrectly bumping their soname between releases until we
notified them about it sometime around 0.6.12.  I kept the soname the same on
our systems (not matching upstream) because of their error.  They fixed their
process and decided to keep their inflated soname, and our ebuilds started
matching that sometime in the 0.6.13-rXs.

Additionally, we were using preserve_old_lib from eutils.eclass to keep around
the old binary.  Because of this vulnerability, I decided that was not wise.

As for the docdir problem... sorry I missed that.  I'll make a note of it for
myself and address it in a revbump bugfix later.  I don't think it's critical
enough to hold this up.

media-libs/libexif-0.6.15 USE="nls -doc"
1. emerges on x86
2. passes test suite
3. passes collision test
4. revdep-rebuild seems to be necessary.
old stable version: 
# qlist libexif-0.6.13-r1 | grep libexif.so
/usr/lib/libexif.so.10.2.1
/usr/lib/libexif.so.10
/usr/lib/libexif.so
/usr/lib/libexif.so.9

new version:
# qlist libexif | grep libexif.so
/usr/lib/libexif.so.12.2.0
/usr/lib/libexif.so.12
/usr/lib/libexif.so


Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r2,
2.6.20.12 i686)
=================================================================
System uname: 2.6.20.12 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 27 May 2007 17:30:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr
cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss
encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal
iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi
mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp
oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline
reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd
test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd
vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de
en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Jeremy, I upgraded from 0.6.13-r1 (latest stable on AMD64). For instance Gimp
gives below error when trying to open JPEG files. 

/usr/lib64/gimp/2.0/plug-ins/jpeg: error while loading shared libraries:
libexif.so.10: cannot open shared object file: No such file or directory

libexif.so.9 was kept around with preserve_old_lib, but since it is vulnerable,
we're not preserving that one any more.

0.6.13-r1 produces libexif.so.10 (we were forcing the old soname because of
incorrect upstream version bumping)

0.6.13-r2 produces libexif.so.12 (another dev rev-bumped removing my soname
hack forcing a revdep-rebuild)

0.6.15 produces libexif.so.12 and matches the upstream version name.

It seems given the circumstances (-r1 being the current stable), it might be
wise to do a revbump and just have symlinks for .10 -> .12... or should we
force the revdep-rebuild?  I don't like the idea of having the symlink, but I
also don't want to force people to rebuild parts of their system when they
really don't need to.  I'll wait for comments here before taking action.

Stable for HPPA.

alpha/ia64/x86 stable

adding CVE reference (CVE-2007-2645)

ppc stable

sparc stable.

amd64 stable

Adding mips to CC since they weren't on it.  They had 0.6.12 stable which is
vulnerable

Considering that nautilus is one of the affected packages you may want to add
an elog notice about the .so bump.

GLSA 200706-01, tahnks everybody