Victor Stinner has reported a vulnerability in libexif, which can be exploited by malicious people to cause a DoS and potentially compromise an application using the library. The vulnerability is caused due to an error within the handling of malformed EXIF information. This can be exploited to crash an application using the library and may allow execution of arbitrary code. Solution: Update to version 0.6.14.
setting status and cc'ing maintainer. Jeremy, please advise and bump as necessary.
I'll look at this this evening
whoops didnt mean to change to new
0.6.14 was giving me headaches, but they just released 0.6.15 and the ebuild is in portage now. I haven't had much time to test, so archs please give it a beating. Make sure to test the crashing jpeg in this bug report: http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272
Thx Jeremy. Arches please test and mark stable. Target keywords are: libexif-0.6.15.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
ppc64 done
media-libs/libexif-0.6.15 USE="nls -doc" Emerges and works on AMD64. Did however require a revdep-rebuild. Portage 2.1.2.7 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r2, 2.6.20-gentoo-r7 x86_64) ================================================================= System uname: 2.6.20-gentoo-r7 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 25 May 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
works fine on x86. digikam shows me exif information. One thing I've noticed is that some doc files are installed in /usr/share/doc/libexif, while other in /usr/share/doc/libexif-0.6.15/.
Jonas, which version were you coming from that it required the revdep-rebuild? Upstream was incorrectly bumping their soname between releases until we notified them about it sometime around 0.6.12. I kept the soname the same on our systems (not matching upstream) because of their error. They fixed their process and decided to keep their inflated soname, and our ebuilds started matching that sometime in the 0.6.13-rXs. Additionally, we were using preserve_old_lib from eutils.eclass to keep around the old binary. Because of this vulnerability, I decided that was not wise. As for the docdir problem... sorry I missed that. I'll make a note of it for myself and address it in a revbump bugfix later. I don't think it's critical enough to hold this up.
media-libs/libexif-0.6.15 USE="nls -doc" 1. emerges on x86 2. passes test suite 3. passes collision test 4. revdep-rebuild seems to be necessary. old stable version: # qlist libexif-0.6.13-r1 | grep libexif.so /usr/lib/libexif.so.10.2.1 /usr/lib/libexif.so.10 /usr/lib/libexif.so /usr/lib/libexif.so.9 new version: # qlist libexif | grep libexif.so /usr/lib/libexif.so.12.2.0 /usr/lib/libexif.so.12 /usr/lib/libexif.so Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r2, 2.6.20.12 i686) ================================================================= System uname: 2.6.20.12 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sun, 27 May 2007 17:30:01 +0000 dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.3.5-r3, 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Jeremy, I upgraded from 0.6.13-r1 (latest stable on AMD64). For instance Gimp gives below error when trying to open JPEG files. /usr/lib64/gimp/2.0/plug-ins/jpeg: error while loading shared libraries: libexif.so.10: cannot open shared object file: No such file or directory
libexif.so.9 was kept around with preserve_old_lib, but since it is vulnerable, we're not preserving that one any more. 0.6.13-r1 produces libexif.so.10 (we were forcing the old soname because of incorrect upstream version bumping) 0.6.13-r2 produces libexif.so.12 (another dev rev-bumped removing my soname hack forcing a revdep-rebuild) 0.6.15 produces libexif.so.12 and matches the upstream version name. It seems given the circumstances (-r1 being the current stable), it might be wise to do a revbump and just have symlinks for .10 -> .12... or should we force the revdep-rebuild? I don't like the idea of having the symlink, but I also don't want to force people to rebuild parts of their system when they really don't need to. I'll wait for comments here before taking action.
Stable for HPPA.
alpha/ia64/x86 stable
adding CVE reference (CVE-2007-2645)
ppc stable
sparc stable.
amd64 stable
Adding mips to CC since they weren't on it. They had 0.6.12 stable which is vulnerable
Considering that nautilus is one of the affected packages you may want to add an elog notice about the .so bump.
GLSA 200706-01, tahnks everybody
