|Summary:||<media-libs/libexif-0.6.19: Heap-based buffer overflow (CVE-2009-3895)|
|Product:||Gentoo Security||Reporter:||Alex Legler (RETIRED) <a3li>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Alex Legler (RETIRED) 2009-11-14 17:33:04 UTC
From $URL: PROBLEM DESCRIPTION A flaw in libexif was discovered that causes a heap buffer to overflow when certain invalid EXIF images are processed. The flaw occurs in the tag fixup routine which attempts to convert in place an array of 8-bit integers into 16-bit integers. This fixup is performed by default after reading an image and until version 0.6.18 there was no easy way to disable it, so it is likely that nearly all applications using libexif to read images are vulnerable. AFFECTED VERSIONS Only libexif version 0.6.18 is affected by this flaw. Version 0.6.17 and previous and 0.6.19 and later are not affected. SOLUTION Upgrade to version 0.6.19.
Comment 1 Alex Legler (RETIRED) 2009-11-14 17:34:16 UTC
Stable is not affected.
Comment 2 Alex Legler (RETIRED) 2009-11-14 17:43:51 UTC
*** Bug 293192 has been marked as a duplicate of this bug. ***
Comment 3 Markus Meier 2009-11-14 20:33:36 UTC
bumped in cvs, 0.6.18 versions removed. *exif-0.6.19 (14 Nov 2009) 14 Nov 2009; Markus Meier <firstname.lastname@example.org> -exif-0.6.18.ebuild, +exif-0.6.19.ebuild: version bump wrt bug #293190 and bug #293194 *libexif-0.6.19 (14 Nov 2009) 14 Nov 2009; Markus Meier <email@example.com> -libexif-0.6.18.ebuild, +libexif-0.6.19.ebuild: version bump wrt bug #293190 and bug #293194
Comment 4 Alex Legler (RETIRED) 2009-11-14 20:34:38 UTC
Thanks. → noglsa
Comment 5 Alex Legler (RETIRED) 2009-11-26 08:26:30 UTC
CVE-2009-3895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3895): Heap-based buffer overflow in the exif_entry_fix function (aka the tag fixup routine) in libexif/exif-entry.c in libexif 0.6.18 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an invalid EXIF image. NOTE: some of these details are obtained from third party information.