679418 – (CVE-2018-20030) <media-libs/libexif-0.6.21-r3: input validation issue resulting in a denial of service (CVE-2018-20030)

Bug 679418 (CVE-2018-20030) - <media-libs/libexif-0.6.21-r3: input validation issue resulting in a denial of service (CVE-2018-20030)

Summary: <media-libs/libexif-0.6.21-r3: input validation issue resulting in a denial o...

Status:	RESOLVED FIXED

Alias:	CVE-2018-20030

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-03-04 16:50 UTC by GLSAMaker/CVETool Bot
Modified:	2019-03-28 15:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	media-libs/libexif-0.6.21-r3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2019-03-04 16:50:38 UTC

CVE-2018-20030 (https://nvd.nist.gov/vuln/detail/CVE-2018-20030):
  An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF
  tags within libexif version 0.6.21 can be exploited to exhaust available CPU
  resources.

Comment 1 Larry the Git Cow gentoo-dev

2019-03-04 18:18:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcce9fb0f933198672777469411dd4774bb39ba3

commit bcce9fb0f933198672777469411dd4774bb39ba3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-04 18:18:27 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 18:18:46 +0000

    media-libs/libexif: rev bump to fix CVE-2018-20030
    
    While here, fix C89 compatibility issue, too.
    
    Bug: https://bugs.gentoo.org/679418
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/libexif-0.6.21-CVE-2018-20030.patch      | 117 +++++++++++++++++++++
 ...ibexif-0.6.21-fix-C89-compatibility-issue.patch |  30 ++++++
 media-libs/libexif/libexif-0.6.21-r3.ebuild        |  52 +++++++++
 3 files changed, 199 insertions(+)

Comment 2 Andreas Sturmlechner gentoo-dev

2019-03-20 16:56:30 UTC

No reason to wait any longer here imo.

Comment 3 Agostino Sarubbo gentoo-dev

2019-03-20 20:59:40 UTC

amd64 stable

Comment 4 Markus Meier gentoo-dev

2019-03-21 20:38:07 UTC

arm stable

Comment 5 Rolf Eike Beer archtester

2019-03-23 11:56:26 UTC

sparc stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2019-03-24 19:56:18 UTC

ia64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-03-24 20:33:39 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-03-24 20:36:44 UTC

ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-03-25 23:13:54 UTC

hppa stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:21:21 UTC

x86 stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:46:15 UTC

x86 stable

Comment 12 Yury German Gentoo Infrastructure

2019-03-28 03:28:56 UTC

GLSA Vote: No

Alpha, please continue stabilization.

Comment 13 Larry the Git Cow gentoo-dev

2019-03-28 09:03:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbee6a0b2a8d96991bdc616e243d1fb6ac55e66e

commit fbee6a0b2a8d96991bdc616e243d1fb6ac55e66e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-03-28 09:02:59 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-03-28 09:02:59 +0000

    media-libs/libexif-0.6.21-r3: alpha stable
    
    Bug: http://bugs.gentoo.org/679418
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 media-libs/libexif/libexif-0.6.21-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2019-03-28 15:01:47 UTC

tree is clean.