754681 – (CVE-2020-0181, CVE-2020-0198, CVE-2020-0452) <media-libs/libexif-0.6.22_p20201105: Multiple vulnerabilities (CVE-2020-{0181,0198,0452})

Bug 754681 (CVE-2020-0181, CVE-2020-0198, CVE-2020-0452) - <media-libs/libexif-0.6.22_p20201105: Multiple vulnerabilities (CVE-2020-{0181,0198,0452})

Summary: <media-libs/libexif-0.6.22_p20201105: Multiple vulnerabilities (CVE-2020-{018...

Status:	RESOLVED FIXED

Alias:	CVE-2020-0181, CVE-2020-0198, CVE-2020-0452

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa+ cve]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-11-15 09:14 UTC by Sam James
Modified:	2020-12-27 09:31 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/18828
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-11-15 09:14:09 UTC

CVE-2020-0181:
"In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."

CVE-2020-0198:
"In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation."

CVE-2020-0452:
"In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation."

Fedora's patches: https://src.fedoraproject.org/rpms/libexif/c/49ff63ac9aaff59aba793760540355817e2b3987?branch=master

Both CVE-2020-0181 and CVE-2020-0198 are fixed together upstream by: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c

CVE-2020-0452 is fixed by: https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06.

Comment 1 Larry the Git Cow gentoo-dev

2020-11-15 09:24:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a59b09f96fe636adc1fa857c1fa7d52d6c6f28b

commit 2a59b09f96fe636adc1fa857c1fa7d52d6c6f28b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-15 09:24:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-15 09:24:24 +0000

    media-libs/libexif: security bump to 20201105 snapshot
    
    Bug: https://bugs.gentoo.org/754681
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libexif/Manifest                        |  1 +
 media-libs/libexif/libexif-0.6.22_p20201105.ebuild | 55 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)

Comment 2 NATTkA bot gentoo-dev

2020-11-15 09:28:49 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/libexif-20201105

Comment 3 Ivan Grynko 2020-11-15 10:34:37 UTC

>>> Configuring source in /tmp/portage/media-libs/libexif-0.6.22_p20201105/work/libexif-9266d14b5ca4e29b970fa03272318e5f99386e06 ...
 * abi_x86_32.x86: running multilib-minimal_abi_src_configure
 * ERROR: media-libs/libexif-0.6.22_p20201105::gentoo failed (configure phase):
 *   no configure script found
 * 
 * Call stack:
 *          ebuild.sh, line  125:  Called src_configure
 *        environment, line 1633:  Called multilib-minimal_src_configure
 *        environment, line 1085:  Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
 *        environment, line 1338:  Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *        environment, line 1015:  Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
 *        environment, line 1013:  Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
 *        environment, line  400:  Called multilib-minimal_abi_src_configure
 *        environment, line 1079:  Called multilib_src_configure
 *

Comment 4 Larry the Git Cow gentoo-dev

2020-11-15 10:41:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4487f6ef155fc063b80ca2c6fa56f02d1436d11b

commit 4487f6ef155fc063b80ca2c6fa56f02d1436d11b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-15 10:41:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-15 10:41:37 +0000

    media-libs/libexif: fix multilib build
    
    Bug: https://bugs.gentoo.org/754681
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libexif/libexif-0.6.22_p20201105.ebuild | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

Comment 5 Sam James archtester

2020-11-15 10:42:51 UTC

(In reply to Ivan Grynko from comment #3)
> >>> Configuring source in /tmp/portage/media-libs/libexif-0.6.22_p20201105/work/libexif-9266d14b5ca4e29b970fa03272318e5f99386e06 ...
>  * abi_x86_32.x86: running multilib-minimal_abi_src_configure
>  * ERROR: media-libs/libexif-0.6.22_p20201105::gentoo failed (configure
> phase):
>  *   no configure script found

Thanks to both you and josef64!

Comment 6 Sam James archtester

2020-11-16 00:11:52 UTC

amd64 done

Comment 7 Sam James archtester

2020-11-16 00:22:18 UTC

arm64 done

Comment 8 Sam James archtester

2020-11-16 00:41:21 UTC

arm done

Comment 9 Sam James archtester

2020-11-16 00:41:53 UTC

arm done

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2020-11-16 20:53:15 UTC

This issue was resolved and addressed in
 GLSA 202011-19 at https://security.gentoo.org/glsa/202011-19
by GLSA coordinator Aaron Bauman (b-man).

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2020-11-16 20:53:37 UTC

re-opened for final arches and cleanup.

Comment 12 Sam James archtester

2020-11-16 21:25:58 UTC

sparc done

Comment 13 Sam James archtester

2020-11-16 21:26:47 UTC

ppc done

Comment 14 Sam James archtester

2020-11-16 21:27:03 UTC

ppc64 stable

Comment 15 Sam James archtester

2020-11-16 21:27:43 UTC

x86 done

Comment 16 Rolf Eike Beer archtester

2020-11-22 15:40:27 UTC

hppa stable

Comment 17 John Helmert III archtester

2020-11-23 16:21:43 UTC

Please cleanup.

Comment 18 Larry the Git Cow gentoo-dev

2020-12-27 09:29:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4b670bf10be44aa2a4108c8e0bb79662aa2421c

commit f4b670bf10be44aa2a4108c8e0bb79662aa2421c
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-27 08:51:06 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-12-27 09:29:03 +0000

    media-libs/libexif: security cleanup (drop <0.6.22_p20201105)
    
    Bug: https://bugs.gentoo.org/754681
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18828
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libexif/Manifest              |  1 -
 media-libs/libexif/libexif-0.6.22.ebuild | 49 --------------------------------
 2 files changed, 50 deletions(-)

Comment 19 John Helmert III archtester

2020-12-27 09:31:39 UTC

Tree is clean, all done!