Bug 1172121 – VUL-1: CVE-2020-13114: libexif: unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data

Bug 1172121 - (CVE-2020-13114) VUL-1: CVE-2020-13114: libexif: unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data

(CVE-2020-13114)
Summary:	VUL-1: CVE-2020-13114: libexif: unrestricted size in handling Canon EXIF Make...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Marcus Meissner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/259955/
Whiteboard:	CVSSv2:NVD:CVE-2020-13114:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-05-26 12:06 UTC by Alexandros Toptsoglou
Modified:	2020-10-07 06:54 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2020-05-26 12:06:53 UTC

CVE-2020-13114

An issue was discovered in libexif before 0.6.22. An unrestricted size in
handling Canon EXIF MakerNote data could lead to consumption of large amounts of
compute time for decoding EXIF data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13114
https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114

Comment 1 OBSbugzilla Bot 2020-05-26 13:30:21 UTC

This is an autogenerated message for OBS integration:
This bug (1172121) was mentioned in
https://build.opensuse.org/request/show/809029 Factory / libexif

Comment 5 Swamp Workflow Management 2020-06-04 13:19:15 UTC

SUSE-SU-2020:1534-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121
CVE References: CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libexif-0.6.22-8.9.1
SUSE OpenStack Cloud 8 (src):    libexif-0.6.22-8.9.1
SUSE OpenStack Cloud 7 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libexif-0.6.22-8.9.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libexif-0.6.22-8.9.1
SUSE Enterprise Storage 5 (src):    libexif-0.6.22-8.9.1
HPE Helion Openstack 8 (src):    libexif-0.6.22-8.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2020-06-08 13:20:37 UTC

SUSE-SU-2020:1553-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121
CVE References: CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    libexif-0.6.22-5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2020-06-11 13:13:39 UTC

openSUSE-SU-2020:0793-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121
CVE References: CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114
Sources used:
openSUSE Leap 15.1 (src):    libexif-0.6.22-lp151.4.6.1

Comment 8 Swamp Workflow Management 2020-07-08 13:23:11 UTC

SUSE-SU-2020:1553-2: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1055857,1059893,1120943,1160770,1171475,1171847,1172105,1172116,1172121
CVE References: CVE-2016-6328,CVE-2017-7544,CVE-2018-20030,CVE-2019-9278,CVE-2020-0093,CVE-2020-12767,CVE-2020-13112,CVE-2020-13113,CVE-2020-13114
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    libexif-0.6.22-5.6.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    libexif-0.6.22-5.6.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    libexif-0.6.22-5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Marcus Meissner 2020-10-07 06:54:42 UTC

done