Bug 24373

Summary: libexif new security issue CVE-2018-20030
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libexif-0.6.21-9.2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-02-16 17:40:14 CET 
Fedora has issued an advisory on February 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVC5KUWUCW5SKSBJOLGYSLCWLZE54JC4/

Patched packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated libexif packages fix security vulnerability:

It was found that specially crafted XIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF
tags could be used for a denial of service (CVE-2018-20030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVC5KUWUCW5SKSBJOLGYSLCWLZE54JC4/
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.21-9.3.mga6
libexif12-0.6.21-9.3.mga6
libexif-devel-0.6.21-9.3.mga6

from libexif-0.6.21-9.3.mga6.src.rpm
Comment 1 Len Lawrence 2019-02-18 20:53:45 CET 
mga6, x86_64

Installed the current packages.

CVE-2018-20030
DOS vulnerability.
No POC available.

$ strace -o trace eom Sutherland_1.jpg
Manipulated the image.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3

$ strace -o trace eog LochCluanie_10.jpg
Rotated the image then browsed other images.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/libexif-12.mo", O_RDONLY) = 11

Ran caja and selected an imaged directory and clicked on an image, which was displayed via eom.

Ran the GIMP under strace, selected an image, scaled it, changed contrast and brightness and saved it as an xcf file.
$ grep exif trace
write(13, "\0\0\0\35plug-in-metadata-decode-exif"..., 512) = 512
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29

Does that relate to libexif?

Installed feh and ran that under strace.  Displayed an image, switched fullscreen and back, rotated the image and showed information.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3

Looks like it is working fine.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Dave Hodgins 2019-02-20 22:01:06 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2019-02-20 23:19:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0095.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED