Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 84076

Summary: media-libs/libexif buffer overflow (CAN-2005-0664)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eradicator, sekretarz
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch for the 0.5 branch from Fedora none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-03-04 04:54:10 UTC
From Ubuntu bug:

The exif library fails to validate input in several place, and 
jpeg image with invalid exif data may crash user application.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-08 02:50:40 UTC
Ubuntu patch over 0.6.9...

==============================================================
--- libexif-0.6.9/libexif/exif-data.c~	2005-03-03 22:54:52.333049248 +0100
+++ libexif-0.6.9/libexif/exif-data.c	2005-03-03 22:50:57.117807400 +0100
@@ -640,7 +640,7 @@
 #endif
 
 	/* Byte order (offset 6, length 2) */
-	if (ds < 12)
+	if (ds < 14)
 		return;
 	if (!memcmp (d + 6, "II", 2))
 		data->priv->order = EXIF_BYTE_ORDER_INTEL;
@@ -659,12 +659,18 @@
 	printf ("IFD 0 at %i.\n", (int) offset);
 #endif
 
+	if (ds < 6 + 4 + offset)
+		return;
+
 	/* Parse the actual exif data (offset 14) */
 	exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
 				     ds - 6, offset);
 
 	/* IFD 1 offset */
 	n = exif_get_short (d + 6 + offset, data->priv->order);
+	if (ds < 6 + offset + 2 + 12 * n + 4)
+		return;
+
 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
 	if (offset) {
 #ifdef DEBUG
============================================================

This needs to be backported to 0.5, or the 0.6 branch needs to be unmasked and this patch applied. Backport looks easy, just a few variable names to change (fex "ds" was called "size").

Pulling eradicator in (as he was the one to mask it) for comments.
Pulling sekretarz in as he was the last committer.

Only the first hunk is not in upstream CVS yet. An equivalent of the second hunk is in CVS (exif-data.c v1.62) post 2.6.11.
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2005-03-09 04:04:28 UTC
I'd say unmask it and apply to 0.6.  Most major packages have been fixed to support 0.6, but there may be a couple outliers that we missed...
Comment 3 René Rhéaume (a.k.a. repzilon, rener) 2005-03-09 06:02:06 UTC
There is a patch for the 0.5 branch released by/for Fedora
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/libexif-0.5.12-3.1.src.rpm

I will extract the patch from the SRPM and attach it here.
Comment 4 René Rhéaume (a.k.a. repzilon, rener) 2005-03-09 06:11:05 UTC
Created attachment 53007 [details, diff]
Patch for the 0.5 branch from Fedora

As Sune Kloppenborg Jeppesen reported, "size" in libexif 0.5.x became "ds" in
0.6.x . RedHat/Fedora Bugzilla bug 150506.
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2005-03-10 15:36:15 UTC
Archs: Please mark 0.5.12-r2 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-03-10 22:10:59 UTC
stable on ppc64
Comment 7 Lina Pezzella (RETIRED) gentoo-dev 2005-03-11 20:13:24 UTC
Stable ppc-macos.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-11 20:30:10 UTC
Stable on alpha.
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-12 00:39:28 UTC
Stable on ppc.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2005-03-12 12:41:07 UTC
GLSA 200503-17

arm/hppa/ia64/mips, please mark stable to benefit from GLSA.
Comment 11 Hardave Riar (RETIRED) gentoo-dev 2005-03-12 23:47:51 UTC
Stable on mips.