Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 679418 (CVE-2018-20030)

Summary: <media-libs/libexif-0.6.21-r3: input validation issue resulting in a denial of service (CVE-2018-20030)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/libexif-0.6.21-r3
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-04 16:50:38 UTC 
CVE-2018-20030 (https://nvd.nist.gov/vuln/detail/CVE-2018-20030):
  An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF
  tags within libexif version 0.6.21 can be exploited to exhaust available CPU
  resources.
Comment 1 Larry the Git Cow gentoo-dev 2019-03-04 18:18:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcce9fb0f933198672777469411dd4774bb39ba3

commit bcce9fb0f933198672777469411dd4774bb39ba3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-04 18:18:27 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 18:18:46 +0000

    media-libs/libexif: rev bump to fix CVE-2018-20030
    
    While here, fix C89 compatibility issue, too.
    
    Bug: https://bugs.gentoo.org/679418
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/libexif-0.6.21-CVE-2018-20030.patch      | 117 +++++++++++++++++++++
 ...ibexif-0.6.21-fix-C89-compatibility-issue.patch |  30 ++++++
 media-libs/libexif/libexif-0.6.21-r3.ebuild        |  52 +++++++++
 3 files changed, 199 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2019-03-20 16:56:30 UTC 
No reason to wait any longer here imo.
Comment 3 Agostino Sarubbo gentoo-dev 2019-03-20 20:59:40 UTC 
amd64 stable
Comment 4 Markus Meier gentoo-dev 2019-03-21 20:38:07 UTC 
arm stable
Comment 5 Rolf Eike Beer archtester 2019-03-23 11:56:26 UTC 
sparc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 19:56:18 UTC 
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:33:39 UTC 
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-24 20:36:44 UTC 
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-25 23:13:54 UTC 
hppa stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:21:21 UTC 
x86 stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:15 UTC 
x86 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 03:28:56 UTC 
GLSA Vote: No

Alpha, please continue stabilization.
Comment 13 Larry the Git Cow gentoo-dev 2019-03-28 09:03:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbee6a0b2a8d96991bdc616e243d1fb6ac55e66e

commit fbee6a0b2a8d96991bdc616e243d1fb6ac55e66e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-03-28 09:02:59 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-03-28 09:02:59 +0000

    media-libs/libexif-0.6.21-r3: alpha stable
    
    Bug: http://bugs.gentoo.org/679418
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 media-libs/libexif/libexif-0.6.21-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2019-03-28 15:01:47 UTC 
tree is clean.