Bug 84076

Summary:

media-libs/libexif buffer overflow (CAN-2005-0664)

Product:

Gentoo Security

Reporter:

Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

eradicator, sekretarz

Priority:

High

Version:

unspecified

Hardware:

All

OS:

All

URL:

https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152

Whiteboard:

B2 [glsa] jaervosz

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
Patch for the 0.5 branch from Fedora	none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-04 04:54:10 UTC

From Ubuntu bug:

The exif library fails to validate input in several place, and 
jpeg image with invalid exif data may crash user application.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-03-08 02:50:40 UTC

Ubuntu patch over 0.6.9...

==============================================================
--- libexif-0.6.9/libexif/exif-data.c~	2005-03-03 22:54:52.333049248 +0100
+++ libexif-0.6.9/libexif/exif-data.c	2005-03-03 22:50:57.117807400 +0100
@@ -640,7 +640,7 @@
 #endif
 
 	/* Byte order (offset 6, length 2) */
-	if (ds < 12)
+	if (ds < 14)
 		return;
 	if (!memcmp (d + 6, "II", 2))
 		data->priv->order = EXIF_BYTE_ORDER_INTEL;
@@ -659,12 +659,18 @@
 	printf ("IFD 0 at %i.\n", (int) offset);
 #endif
 
+	if (ds < 6 + 4 + offset)
+		return;
+
 	/* Parse the actual exif data (offset 14) */
 	exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
 				     ds - 6, offset);
 
 	/* IFD 1 offset */
 	n = exif_get_short (d + 6 + offset, data->priv->order);
+	if (ds < 6 + offset + 2 + 12 * n + 4)
+		return;
+
 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
 	if (offset) {
 #ifdef DEBUG
============================================================

This needs to be backported to 0.5, or the 0.6 branch needs to be unmasked and this patch applied. Backport looks easy, just a few variable names to change (fex "ds" was called "size").

Pulling eradicator in (as he was the one to mask it) for comments.
Pulling sekretarz in as he was the last committer.

Only the first hunk is not in upstream CVS yet. An equivalent of the second hunk is in CVS (exif-data.c v1.62) post 2.6.11.

Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev

2005-03-09 04:04:28 UTC

I'd say unmask it and apply to 0.6.  Most major packages have been fixed to support 0.6, but there may be a couple outliers that we missed...

Comment 3 René Rhéaume (a.k.a. repzilon, rener) 2005-03-09 06:02:06 UTC

There is a patch for the 0.5 branch released by/for Fedora
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/libexif-0.5.12-3.1.src.rpm

I will extract the patch from the SRPM and attach it here.

Comment 4 René Rhéaume (a.k.a. repzilon, rener) 2005-03-09 06:11:05 UTC

Created attachment 53007 [details, diff]
Patch for the 0.5 branch from Fedora

As Sune Kloppenborg Jeppesen reported, "size" in libexif 0.5.x became "ds" in
0.6.x . RedHat/Fedora Bugzilla bug 150506.

Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev

2005-03-10 15:36:15 UTC

Archs: Please mark 0.5.12-r2 stable

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2005-03-10 22:10:59 UTC

stable on ppc64

Comment 7 Lina Pezzella (RETIRED) gentoo-dev

2005-03-11 20:13:24 UTC

Stable ppc-macos.

Comment 8 Bryan Østergaard (RETIRED) gentoo-dev

2005-03-11 20:30:10 UTC

Stable on alpha.

Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-03-12 00:39:28 UTC

Stable on ppc.

Comment 10 Luke Macken (RETIRED) gentoo-dev

2005-03-12 12:41:07 UTC

GLSA 200503-17

arm/hppa/ia64/mips, please mark stable to benefit from GLSA.

Comment 11 Hardave Riar (RETIRED) gentoo-dev

2005-03-12 23:47:51 UTC

Stable on mips.