Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 754681 (CVE-2020-0181, CVE-2020-0198, CVE-2020-0452) - <media-libs/libexif-0.6.22_p20201105: Multiple vulnerabilities (CVE-2020-{0181,0198,0452})
Summary: <media-libs/libexif-0.6.22_p20201105: Multiple vulnerabilities (CVE-2020-{018...
Status: CONFIRMED
Alias: CVE-2020-0181, CVE-2020-0198, CVE-2020-0452
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cleanup cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-15 09:14 UTC by Sam James
Modified: 2020-11-23 16:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-15 09:14:09 UTC
CVE-2020-0181:
"In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."

CVE-2020-0198:
"In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation."

CVE-2020-0452:
"In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation."

Fedora's patches: https://src.fedoraproject.org/rpms/libexif/c/49ff63ac9aaff59aba793760540355817e2b3987?branch=master

Both CVE-2020-0181 and CVE-2020-0198 are fixed together upstream by: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c

CVE-2020-0452 is fixed by: https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06.
Comment 1 Larry the Git Cow gentoo-dev 2020-11-15 09:24:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a59b09f96fe636adc1fa857c1fa7d52d6c6f28b

commit 2a59b09f96fe636adc1fa857c1fa7d52d6c6f28b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-15 09:24:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-15 09:24:24 +0000

    media-libs/libexif: security bump to 20201105 snapshot
    
    Bug: https://bugs.gentoo.org/754681
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libexif/Manifest                        |  1 +
 media-libs/libexif/libexif-0.6.22_p20201105.ebuild | 55 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2020-11-15 09:28:49 UTC Comment hidden (obsolete)
Comment 3 Ivan Grynko 2020-11-15 10:34:37 UTC
>>> Configuring source in /tmp/portage/media-libs/libexif-0.6.22_p20201105/work/libexif-9266d14b5ca4e29b970fa03272318e5f99386e06 ...
 * abi_x86_32.x86: running multilib-minimal_abi_src_configure
 * ERROR: media-libs/libexif-0.6.22_p20201105::gentoo failed (configure phase):
 *   no configure script found
 * 
 * Call stack:
 *          ebuild.sh, line  125:  Called src_configure
 *        environment, line 1633:  Called multilib-minimal_src_configure
 *        environment, line 1085:  Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
 *        environment, line 1338:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *        environment, line 1015:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *        environment, line 1013:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
 *        environment, line  400:  Called multilib-minimal_abi_src_configure
 *        environment, line 1079:  Called multilib_src_configure
 *
Comment 4 Larry the Git Cow gentoo-dev 2020-11-15 10:41:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4487f6ef155fc063b80ca2c6fa56f02d1436d11b

commit 4487f6ef155fc063b80ca2c6fa56f02d1436d11b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-15 10:41:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-15 10:41:37 +0000

    media-libs/libexif: fix multilib build
    
    Bug: https://bugs.gentoo.org/754681
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libexif/libexif-0.6.22_p20201105.ebuild | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
Comment 5 Sam James archtester gentoo-dev Security 2020-11-15 10:42:51 UTC
(In reply to Ivan Grynko from comment #3)
> >>> Configuring source in /tmp/portage/media-libs/libexif-0.6.22_p20201105/work/libexif-9266d14b5ca4e29b970fa03272318e5f99386e06 ...
>  * abi_x86_32.x86: running multilib-minimal_abi_src_configure
>  * ERROR: media-libs/libexif-0.6.22_p20201105::gentoo failed (configure
> phase):
>  *   no configure script found

Thanks to both you and josef64!
Comment 6 Sam James archtester gentoo-dev Security 2020-11-16 00:11:52 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-11-16 00:22:18 UTC
arm64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-11-16 00:41:21 UTC
arm done
Comment 9 Sam James archtester gentoo-dev Security 2020-11-16 00:41:53 UTC
arm done
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-11-16 20:53:15 UTC
This issue was resolved and addressed in
 GLSA 202011-19 at https://security.gentoo.org/glsa/202011-19
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-11-16 20:53:37 UTC
re-opened for final arches and cleanup.
Comment 12 Sam James archtester gentoo-dev Security 2020-11-16 21:25:58 UTC
sparc done
Comment 13 Sam James archtester gentoo-dev Security 2020-11-16 21:26:47 UTC
ppc done
Comment 14 Sam James archtester gentoo-dev Security 2020-11-16 21:27:03 UTC
ppc64 stable
Comment 15 Sam James archtester gentoo-dev Security 2020-11-16 21:27:43 UTC
x86 done
Comment 16 Rolf Eike Beer 2020-11-22 15:40:27 UTC
hppa stable
Comment 17 John Helmert III (ajak) 2020-11-23 16:21:43 UTC
Please cleanup.