Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181922 - media-libs/libexif EXIF Information Handling Vulnerability (CVE-2006-4168)
Summary: media-libs/libexif EXIF Information Handling Vulnerability (CVE-2006-4168)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25642/
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-13 15:52 UTC by Lars Hartmann
Modified: 2007-07-31 06:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-06-13 15:52:13 UTC
A vulnerability has been reported in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

The vulnerability is caused due to an error within the handling of EXIF information. This can be exploited to crash an application using the library and may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.6.16.
Solution:
Update to version 0.6.16.

Provided and/or discovered by:
The vendor credits iDefense.

Original Advisory:
http://sourceforge.net/project/shownotes.php?release_id=515385

Reproducible: Always
Comment 1 Lars Hartmann 2007-06-13 16:40:07 UTC
maintainers - please advise and bump as necessary
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2007-06-13 18:42:59 UTC
New version in portage.

Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
Comment 3 Markus Meier gentoo-dev 2007-06-13 20:18:13 UTC
media-libs/libexif-0.6.16 USE="nls -doc"
1. emerges on x86
2. passes test suite
3. passes collision test
4. no revdep-rebuild needed and gnome-base/nautilus-2.16.3 emerges with it

Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20.14 i686)
=================================================================
System uname: 2.6.20.14 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 13 Jun 2007 19:30:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-14 03:51:21 UTC
Stable for HPPA.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-06-14 05:58:05 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-06-14 11:07:23 UTC
alpha/ia64/x86 stable, thanks Markus
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-14 13:18:35 UTC
sparc stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-14 17:47:48 UTC
ppc stable
Comment 9 Christoph Mende (RETIRED) gentoo-dev 2007-06-15 15:42:43 UTC
amd64 done
Comment 10 Lars Hartmann 2007-06-16 14:58:48 UTC
thanks arches for testing and mantainers for providing the ebuild

this one is ready for glsa decision
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-16 15:08:21 UTC
no need to vote here, B2 => glsa without a vote ;)
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-26 23:00:44 UTC
GLSA 200706-09
Comment 13 Joshua Kinard gentoo-dev 2007-07-31 06:09:27 UTC
mip stable.