Bugzilla – Bug 771229
VUL-0: libexif: fixed various overflows
Last modified: 2015-02-19 10:30:47 UTC
via cvs commits * Fixed bug that caused read past the end of a buffer (CVE-2012-2845)
Created attachment 498451 [details] CVE-2012-2845.patch as applied by Dan
Created attachment 498453 [details] CVE-2012-2814.patch CVE-2012-2814 Fixed some buffer overflows in exif_entry_format_value()
Created attachment 498454 [details] CVE-2012-2840.patch CVE-2012-2840 Fixed an off-by-one error in exif_convert_utf16_to_utf8() This can cause a one-byte NUL write past the end of the buffer.
Created attachment 498455 [details] CVE-2012-2813.patch CVE-2012-2813 Don't read past the end of a tag when converting from UTF-16
Created attachment 498456 [details] CVE-2012-2812.patch CVE-2012-2812 Fixed an out of bounds read on corrupted input. The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not, NUL-terminated.
Created attachment 498457 [details] CVE-2012-2841.patch CVE-2012-2841 Fixed a buffer overflow problem in exif_entry_get_value If the application passed in a buffer length of 0, then it would be treated as the buffer had unlimited length.
Created attachment 498458 [details] CVE-2012-2836.patch CVE-2012-2836 Fix a buffer overflow on corrupt EXIF data. This fixes bug #3434540 and fixes part of CVE-2012-2836
Created attachment 498459 [details] CVE-2012-2836-2.patch CVE-2012-2836 Fix a buffer overflow on corrupted JPEG data An unsigned data length might wrap around when decremented below zero, bypassing sanity checks on length. This code path can probably only occur if exif_data_load_data() is called directly by the application on data that wasn't parsed by libexif itself. This solves the other part of CVE-2012-2836
Created attachment 498460 [details] CVE-2012-2837.patch CVE-2012-2837 Fixed some possible division-by-zeros in Olympus-style makernotes This fixes bug #3434545, a.k.a. CVE-2012-2837
CVE-2012-2845 is actually for "exif", the commandline tool. Not the library libexif. The others are for the library.
libexif/ChangeLog: 2012-07-12 Dan Fandrich <dan@coneharvesters.com> * Fixed some buffer overflows in exif_entry_format_value() This fixes CVE-2012-2814. Reported by Mateusz Jurczyk of Google Security Team * Fixed an off-by-one error in exif_convert_utf16_to_utf8() This can cause a one-byte NUL write past the end of the buffer. This fixes CVE-2012-2840 * Don't read past the end of a tag when converting from UTF-16 This fixes CVE-2012-2813. Reported by Mateusz Jurczyk of Google Security Team * Fixed an out of bounds read on corrupted input The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not, NUL-terminated. This fixes CVE-2012-2812. Reported by Mateusz Jurczyk of Google Security Team * Fixed a buffer overflow problem in exif_entry_get_value If the application passed in a buffer length of 0, then it would be treated as the buffer had unlimited length. This fixes CVE-2012-2841 * Fix a buffer overflow on corrupt EXIF data. This fixes bug #3434540 and fixes part of CVE-2012-2836 Reported by Yunho Kim * Fix a buffer overflow on corrupted JPEG data An unsigned data length might wrap around when decremented below zero, bypassing sanity checks on length. This code path can probably only occur if exif_data_load_data() is called directly by the application on data that wasn't parsed by libexif itself. This solves the other part of CVE-2012-2836 * Fixed some possible division-by-zeros in Olympus-style makernotes This fixes bug #3434545, a.k.a. CVE-2012-2837 Reported by Yunho Kim
bugbot adjusting priority
The SWAMPID for this issue is 48261. This issue was rated as important. Please submit fixed packages until 2012-07-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: libexif, libexif-32bit, libexif-debuginfo, libexif-debuginfo-32bit, libexif-debuginfo-x86, libexif-debugsource, libexif-devel, libexif-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: libexif Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
done, only opensuse left
Update released for: libexif Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
openSUSE-SU-2012:0914-1: An update that fixes 7 vulnerabilities is now available. Category: security (low) Bug References: 771229 CVE References: CVE-2012-2812,CVE-2012-2813,CVE-2012-2814,CVE-2012-2836,CVE-2012-2837,CVE-2012-2840,CVE-2012-2841 Sources used: openSUSE 12.1 (src): libexif-0.6.20-10.4.1 openSUSE 11.4 (src): libexif-0.6.20-10.1
This is an autogenerated message for OBS integration: This bug (771229) was mentioned in https://build.opensuse.org/request/show/129342 Evergreen:11.2 / libexif https://build.opensuse.org/request/show/129344 Evergreen:11.2 / libexif
This is an autogenerated message for OBS integration: This bug (771229) was mentioned in https://build.opensuse.org/request/show/129664 Evergreen:11.2 / libexif
closed