Bugzilla – Bug 70887
VUL-0: CVE-2005-0664: libexif buffer overflow
Last modified: 2021-11-02 16:08:51 UTC
We received the following report via vendor-sec. The issue is public. Date: Fri, 4 Mar 2005 13:42:07 +0100 From: Martin Pitt <martin.pitt@canonical.com> To: Vendor Security <vendor-sec@lst.de> Subject: [vendor-sec] libexif potential buffer overflow Hi! Ubuntu just received a bug report in our (public) bugzilla about a potential buffer overflow due to unchecked input in libexif: https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152 After looking at libexif code, the patch (pasted below) looks pretty good to me. However, I'd appreciate another pair of eyes on it. Also, can somebody please assign a CAN number? Thanks, Martin --- libexif-0.6.9/libexif/exif-data.c~ 2005-03-03 22:54:52.333049248 +0100 +++ libexif-0.6.9/libexif/exif-data.c 2005-03-03 22:50:57.117807400 +0100 @@ -640,7 +640,7 @@ #endif /* Byte order (offset 6, length 2) */ - if (ds < 12) + if (ds < 14) return; if (!memcmp (d + 6, "II", 2)) data->priv->order = EXIF_BYTE_ORDER_INTEL; @@ -659,12 +659,18 @@ printf ("IFD 0 at %i.\n", (int) offset); #endif + if (ds < 6 + 4 + offset) + return; + /* Parse the actual exif data (offset 14) */ exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6, ds - 6, offset); /* IFD 1 offset */ n = exif_get_short (d + 6 + offset, data->priv->order); + if (ds < 6 + offset + 2 + 12 * n + 4) + return; + offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order); if (offset) { #ifdef DEBUG -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
the second hunk is not needed. the other 2 are probably for <9.3
*** Bug 71073 has been marked as a duplicate of this bug. ***
CAN-2005-0664
surface
backporting is very hard. and this is mostly a DOS issue. fixed in 9.3/STABLE
.
SWAMPID: 768
patchinfos submitted.
updated packages released
CVE-2005-0664: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)