92035 – media-libs/libexif infinite recursion

Bug 92035 - media-libs/libexif infinite recursion

Summary: media-libs/libexif infinite recursion

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://sourceforge.net/tracker/index....
Whiteboard:	B3 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-05-09 12:35 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-08-15 22:02 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-09 12:35:44 UTC

Infinite recursion in exif_data_load_data_content. This function can get into an infinite recursion.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-09 12:36:30 UTC

Jeremy please advise.

Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev

2005-05-09 13:46:23 UTC

I suppose it could be manipulated to cause apache to crash if one of its modules does image processing.  I know php does this, but I don't believe it links with libexif.  Still, the possibility is there for remote DoS for a service that DOES allow image processing of uploaded images with libexif.  I'm testing the patch now.

Affected versions are <0.6.12-r4

libexif-0.5.12-r3 is going to be patched with the fix

Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev

2005-05-09 14:03:03 UTC

well... that patch actually didn't fix the bug...  I still got kuickshow to segfault when trying to open that jpg:

Corrupt JPEG data: 59 extraneous bytes before marker 0xd9
Segmentation fault (core dumped)

Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev

2005-05-09 14:09:09 UTC

Actually, kuickshow and kde's jpeg ioslave don't use this lib, so there's a problem in whatever libs kde uses for exif data (is it in libjpeg?)

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-09 22:37:06 UTC

Thx for the notification, we will handle the KDE issue on another bug. Let us know when an ebuild is ready for stable marking.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-09 23:11:19 UTC

Arches please test and mark libexif-0.5.12-r3 stable.

Comment 7 Lars Weiler (RETIRED) gentoo-dev

2005-05-10 16:50:12 UTC

Compiles without errors on ppc.  Could not test, as no testing instruction has been given.

Comment 8 Lars Weiler (RETIRED) gentoo-dev

2005-05-11 04:00:19 UTC

How to test this bug: <@eradicator> Pylon: get the .jpg file mentioned on the upstream bug and open it in gimp

I can open it in gimp (on ppc) and get the error message:
"Corrupt JPEG data: 59 extraneous bytes before marker 0xd9

EXIF data will be ignored."

So, ppc-test verified.

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2005-05-11 09:10:02 UTC

stable on ppc64

Comment 10 Bryan Østergaard (RETIRED) gentoo-dev

2005-05-11 16:26:05 UTC

Stable on alpha + ia64.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-11 21:32:48 UTC

This one is ready for GLSA decision.

Though not sure this should be rated an A or B item. Comments?

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2005-05-12 05:50:32 UTC

Rating B (for limited exposure). 1/2 vote NO here too...

Comment 13 René Nussbaumer (RETIRED) gentoo-dev

2005-05-12 08:57:24 UTC

Stable on hppa

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2005-05-12 12:50:31 UTC

adding my half vote against a GLSA to koon's half vote
so we got one vote against a GLSA now

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-12 22:13:27 UTC

I vote a full NO. Feel free to reopen if you disagree.

Comment 16 Hardave Riar (RETIRED) gentoo-dev

2005-07-02 14:46:00 UTC

Stable on mips.