Bug 70887 - (CVE-2005-0664) VUL-0: CVE-2005-0664: libexif buffer overflow
(CVE-2005-0664)
VUL-0: CVE-2005-0664: libexif buffer overflow
Status: RESOLVED FIXED
: 71073 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other All
: P5 - None : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
CVE-2005-0664: CVSS v2 Base Score: 2....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-04 13:55 UTC by Ludwig Nussel
Modified: 2021-11-02 16:08 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-03-04 13:55:15 UTC
We received the following report via vendor-sec.
The issue is public.

Date: Fri, 4 Mar 2005 13:42:07 +0100
From: Martin Pitt <martin.pitt@canonical.com>
To: Vendor Security <vendor-sec@lst.de>
Subject: [vendor-sec] libexif potential buffer overflow

Hi!

Ubuntu just received a bug report in our (public) bugzilla about a
potential buffer overflow due to unchecked input in libexif:

  https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152

After looking at libexif code, the patch (pasted below) looks pretty
good to me. However, I'd appreciate another pair of eyes on it. Also,
can somebody please assign a CAN number?

Thanks,

Martin

--- libexif-0.6.9/libexif/exif-data.c~	2005-03-03 22:54:52.333049248 +0100
+++ libexif-0.6.9/libexif/exif-data.c	2005-03-03 22:50:57.117807400 +0100
@@ -640,7 +640,7 @@
 #endif
 
 	/* Byte order (offset 6, length 2) */
-	if (ds < 12)
+	if (ds < 14)
 		return;
 	if (!memcmp (d + 6, "II", 2))
 		data->priv->order = EXIF_BYTE_ORDER_INTEL;
@@ -659,12 +659,18 @@
 	printf ("IFD 0 at %i.\n", (int) offset);
 #endif
 
+	if (ds < 6 + 4 + offset)
+		return;
+
 	/* Parse the actual exif data (offset 14) */
 	exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
 				     ds - 6, offset);
 
 	/* IFD 1 offset */
 	n = exif_get_short (d + 6 + offset, data->priv->order);
+	if (ds < 6 + offset + 2 + 12 * n + 4)
+		return;
+
 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
 	if (offset) {
 #ifdef DEBUG

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
Comment 1 Marcus Meissner 2005-03-04 14:34:40 UTC
the second hunk is not needed. 
 
the other 2 are probably for <9.3 
Comment 2 Marcus Meissner 2005-03-07 11:36:06 UTC
*** Bug 71073 has been marked as a duplicate of this bug. ***
Comment 3 Ludwig Nussel 2005-03-08 09:21:57 UTC
CAN-2005-0664 
Comment 4 Marcus Meissner 2005-03-16 09:15:29 UTC
surface 
Comment 5 Marcus Meissner 2005-03-31 11:52:54 UTC
backporting is very hard. and this is mostly a DOS issue. 
 
fixed in 9.3/STABLE 
Comment 6 Marcus Meissner 2005-04-01 09:07:03 UTC
. 
Comment 7 Marcus Meissner 2005-04-01 09:42:20 UTC
SWAMPID: 768 
Comment 8 Marcus Meissner 2005-04-01 09:50:44 UTC
patchinfos submitted. 
Comment 9 Marcus Meissner 2005-04-12 15:06:48 UTC
updated packages released 
Comment 10 Thomas Biege 2009-10-13 21:09:55 UTC
CVE-2005-0664: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)