Bug 771229 - VUL-0: libexif: fixed various overflows
VUL-0: libexif: fixed various overflows
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Marcus Meissner
Security Team bot
maint:released:sle10-sp4:48340 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-12 17:24 UTC by Marcus Meissner
Modified: 2015-02-19 10:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2012-2845.patch (3.17 KB, patch)
2012-07-12 17:25 UTC, Marcus Meissner
Details | Diff
CVE-2012-2814.patch (6.78 KB, patch)
2012-07-12 17:26 UTC, Marcus Meissner
Details | Diff
CVE-2012-2840.patch (4.13 KB, patch)
2012-07-12 17:28 UTC, Marcus Meissner
Details | Diff
CVE-2012-2813.patch (1.96 KB, patch)
2012-07-12 17:28 UTC, Marcus Meissner
Details | Diff
CVE-2012-2812.patch (6.31 KB, patch)
2012-07-12 17:29 UTC, Marcus Meissner
Details | Diff
CVE-2012-2841.patch (5.11 KB, patch)
2012-07-12 17:30 UTC, Marcus Meissner
Details | Diff
CVE-2012-2836.patch (3.41 KB, patch)
2012-07-12 17:31 UTC, Marcus Meissner
Details | Diff
CVE-2012-2836-2.patch (2.40 KB, patch)
2012-07-12 17:31 UTC, Marcus Meissner
Details | Diff
CVE-2012-2837.patch (4.56 KB, patch)
2012-07-12 17:32 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2012-07-12 17:24:48 UTC
via cvs commits

* Fixed bug that caused read past the end of a buffer (CVE-2012-2845)
Comment 1 Marcus Meissner 2012-07-12 17:25:27 UTC
Created attachment 498451 [details]
CVE-2012-2845.patch

as applied by Dan
Comment 2 Marcus Meissner 2012-07-12 17:26:46 UTC
Created attachment 498453 [details]
CVE-2012-2814.patch

CVE-2012-2814

Fixed some buffer overflows in exif_entry_format_value()
Comment 3 Marcus Meissner 2012-07-12 17:28:00 UTC
Created attachment 498454 [details]
CVE-2012-2840.patch

CVE-2012-2840

Fixed an off-by-one error in exif_convert_utf16_to_utf8()   
This can cause a one-byte NUL write past the end of the buffer.
Comment 4 Marcus Meissner 2012-07-12 17:28:37 UTC
Created attachment 498455 [details]
CVE-2012-2813.patch

CVE-2012-2813

Don't read past the end of a tag when converting from UTF-16
Comment 5 Marcus Meissner 2012-07-12 17:29:16 UTC
Created attachment 498456 [details]
CVE-2012-2812.patch

CVE-2012-2812

Fixed an out of bounds read on corrupted input.
The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not,
NUL-terminated.
Comment 6 Marcus Meissner 2012-07-12 17:30:23 UTC
Created attachment 498457 [details]
CVE-2012-2841.patch

CVE-2012-2841

Fixed a buffer overflow problem in exif_entry_get_value
If the application passed in a buffer length of 0, then it would
be treated as the buffer had unlimited length.
Comment 7 Marcus Meissner 2012-07-12 17:31:11 UTC
Created attachment 498458 [details]
CVE-2012-2836.patch

CVE-2012-2836

Fix a buffer overflow on corrupt EXIF data.
This fixes bug #3434540 and fixes part of CVE-2012-2836
Comment 8 Marcus Meissner 2012-07-12 17:31:55 UTC
Created attachment 498459 [details]
CVE-2012-2836-2.patch

CVE-2012-2836

Fix a buffer overflow on corrupted JPEG data
An unsigned data length might wrap around when decremented
below zero, bypassing sanity checks on length.
This code path can probably only occur if exif_data_load_data()
is called directly by the application on data that wasn't parsed
by libexif itself.
This solves the other part of CVE-2012-2836
Comment 9 Marcus Meissner 2012-07-12 17:32:29 UTC
Created attachment 498460 [details]
CVE-2012-2837.patch

CVE-2012-2837

Fixed some possible division-by-zeros in Olympus-style makernotes
This fixes bug #3434545, a.k.a. CVE-2012-2837
Comment 10 Marcus Meissner 2012-07-12 17:33:40 UTC
CVE-2012-2845 is actually for "exif", the commandline tool. Not the library libexif.

The others are for the library.
Comment 11 Marcus Meissner 2012-07-12 17:48:10 UTC
libexif/ChangeLog:

2012-07-12  Dan Fandrich <dan@coneharvesters.com>

       * Fixed some buffer overflows in exif_entry_format_value()
         This fixes CVE-2012-2814.  Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed an off-by-one error in exif_convert_utf16_to_utf8()
         This can cause a one-byte NUL write past the end of the buffer.
         This fixes CVE-2012-2840
       * Don't read past the end of a tag when converting from UTF-16
         This fixes CVE-2012-2813. Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed an out of bounds read on corrupted input
         The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not,
         NUL-terminated.
         This fixes CVE-2012-2812. Reported by Mateusz Jurczyk of
         Google Security Team
       * Fixed a buffer overflow problem in exif_entry_get_value
         If the application passed in a buffer length of 0, then it would
         be treated as the buffer had unlimited length.
         This fixes CVE-2012-2841
       * Fix a buffer overflow on corrupt EXIF data.
         This fixes bug #3434540 and fixes part of CVE-2012-2836
         Reported by Yunho Kim
       * Fix a buffer overflow on corrupted JPEG data
         An unsigned data length might wrap around when decremented
         below zero, bypassing sanity checks on length.
         This code path can probably only occur if exif_data_load_data()
         is called directly by the application on data that wasn't parsed
         by libexif itself.
         This solves the other part of CVE-2012-2836
       * Fixed some possible division-by-zeros in Olympus-style makernotes
         This fixes bug #3434545, a.k.a. CVE-2012-2837
         Reported by Yunho Kim
Comment 12 Swamp Workflow Management 2012-07-12 22:00:15 UTC
bugbot adjusting priority
Comment 13 Swamp Workflow Management 2012-07-13 14:12:34 UTC
The SWAMPID for this issue is 48261.
This issue was rated as important.
Please submit fixed packages until 2012-07-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 14 Swamp Workflow Management 2012-07-23 13:29:57 UTC
Update released for: libexif, libexif-32bit, libexif-debuginfo, libexif-debuginfo-32bit, libexif-debuginfo-x86, libexif-debugsource, libexif-devel, libexif-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 15 Swamp Workflow Management 2012-07-23 13:43:50 UTC
Update released for: libexif
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 16 Sebastian Krahmer 2012-07-23 14:43:26 UTC
done, only opensuse left
Comment 17 Swamp Workflow Management 2012-07-23 15:08:59 UTC
Update released for: libexif
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 18 Swamp Workflow Management 2012-07-25 13:08:28 UTC
openSUSE-SU-2012:0914-1: An update that fixes 7 vulnerabilities is now available.

Category: security (low)
Bug References: 771229
CVE References: CVE-2012-2812,CVE-2012-2813,CVE-2012-2814,CVE-2012-2836,CVE-2012-2837,CVE-2012-2840,CVE-2012-2841
Sources used:
openSUSE 12.1 (src):    libexif-0.6.20-10.4.1
openSUSE 11.4 (src):    libexif-0.6.20-10.1
Comment 19 Bernhard Wiedemann 2012-07-30 17:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (771229) was mentioned in
https://build.opensuse.org/request/show/129342 Evergreen:11.2 / libexif
https://build.opensuse.org/request/show/129344 Evergreen:11.2 / libexif
Comment 20 Bernhard Wiedemann 2012-08-02 13:00:50 UTC
This is an autogenerated message for OBS integration:
This bug (771229) was mentioned in
https://build.opensuse.org/request/show/129664 Evergreen:11.2 / libexif
Comment 21 Marcus Meissner 2012-08-07 07:14:32 UTC
closed