Bug 70887 (CVE-2005-0664)

Summary: VUL-0: CVE-2005-0664: libexif buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: krahmer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0664: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-03-04 13:55:15 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Fri, 4 Mar 2005 13:42:07 +0100
From: Martin Pitt <martin.pitt@canonical.com>
To: Vendor Security <vendor-sec@lst.de>
Subject: [vendor-sec] libexif potential buffer overflow

Hi!

Ubuntu just received a bug report in our (public) bugzilla about a
potential buffer overflow due to unchecked input in libexif:

  https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152

After looking at libexif code, the patch (pasted below) looks pretty
good to me. However, I'd appreciate another pair of eyes on it. Also,
can somebody please assign a CAN number?

Thanks,

Martin

--- libexif-0.6.9/libexif/exif-data.c~	2005-03-03 22:54:52.333049248 +0100
+++ libexif-0.6.9/libexif/exif-data.c	2005-03-03 22:50:57.117807400 +0100
@@ -640,7 +640,7 @@
 #endif
 
 	/* Byte order (offset 6, length 2) */
-	if (ds < 12)
+	if (ds < 14)
 		return;
 	if (!memcmp (d + 6, "II", 2))
 		data->priv->order = EXIF_BYTE_ORDER_INTEL;
@@ -659,12 +659,18 @@
 	printf ("IFD 0 at %i.\n", (int) offset);
 #endif
 
+	if (ds < 6 + 4 + offset)
+		return;
+
 	/* Parse the actual exif data (offset 14) */
 	exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
 				     ds - 6, offset);
 
 	/* IFD 1 offset */
 	n = exif_get_short (d + 6 + offset, data->priv->order);
+	if (ds < 6 + offset + 2 + 12 * n + 4)
+		return;
+
 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
 	if (offset) {
 #ifdef DEBUG

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
Comment 1 Marcus Meissner 2005-03-04 14:34:40 UTC 
the second hunk is not needed. 
 
the other 2 are probably for <9.3
Comment 2 Marcus Meissner 2005-03-07 11:36:06 UTC 
*** Bug 71073 has been marked as a duplicate of this bug. ***
Comment 3 Ludwig Nussel 2005-03-08 09:21:57 UTC 
CAN-2005-0664
Comment 4 Marcus Meissner 2005-03-16 09:15:29 UTC 
surface
Comment 5 Marcus Meissner 2005-03-31 11:52:54 UTC 
backporting is very hard. and this is mostly a DOS issue. 
 
fixed in 9.3/STABLE
Comment 6 Marcus Meissner 2005-04-01 09:07:03 UTC 
.
Comment 7 Marcus Meissner 2005-04-01 09:42:20 UTC 
SWAMPID: 768
Comment 8 Marcus Meissner 2005-04-01 09:50:44 UTC 
patchinfos submitted.
Comment 9 Marcus Meissner 2005-04-12 15:06:48 UTC 
updated packages released
Comment 10 Thomas Biege 2009-10-13 21:09:55 UTC 
CVE-2005-0664: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)