Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 783522 (CVE-2021-27815)

Summary: <media-gfx/exif-0.6.22-r1: null pointer dereference (CVE-2021-27815)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libexif/exif/issues/4
See Also: https://github.com/gentoo/gentoo/pull/26271
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 866239    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-17 23:52:28 UTC
CVE-2021-27815:

NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:58 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:17 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:15 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:23 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:21 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:38 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-07-08 22:14:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd33507695886a6e0936f556cf6ec9de7595e7f9

commit bd33507695886a6e0936f556cf6ec9de7595e7f9
Author:     Federico Denkena <federico.denkena@posteo.de>
AuthorDate: 2022-07-07 20:36:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-08 22:14:34 +0000

    media-gfx/exif: Security fix for CVE-2021-27815
    
    This commit adds two patches from upstream and bumps the revision.
    
    Bug: https://bugs.gentoo.org/783522
    Signed-off-by: Federico Denkena <federico.denkena@posteo.de>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/exif/exif-0.6.22-r1.ebuild               | 31 +++++++++++++++++
 .../files/exif-0.6.22-empty-string-check.patch     | 40 ++++++++++++++++++++++
 2 files changed, 71 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2022-10-22 02:33:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cccd68bec11001d70da69997730018e5151a7483

commit cccd68bec11001d70da69997730018e5151a7483
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-22 02:31:35 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-22 02:31:35 +0000

    media-gfx/exif: drop 0.6.22
    
    Bug: https://bugs.gentoo.org/783522
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-gfx/exif/exif-0.6.22.ebuild | 27 ---------------------------
 1 file changed, 27 deletions(-)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 02:40:41 UTC
GLSA request filed
Comment 10 Larry the Git Cow gentoo-dev 2022-10-31 01:41:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=72cd35ddebf893b0640052a4f1534e697700fc8f

commit 72cd35ddebf893b0640052a4f1534e697700fc8f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:23:34 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-28 ] exif: Denial of Service
    
    Bug: https://bugs.gentoo.org/783522
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-28.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:36 UTC
GLSA released, all done!