Bug 25674

Summary: libexif new security issue CVE-2019-9278
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cjw, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libexif-0.6.21-14.mga7.src.rpm CVE: CVE-2019-9278
Status comment:

Description David Walser 2019-11-09 15:12:43 CET 
Chromium fixed an issue in its bundled libexif:
https://www.openwall.com/lists/oss-security/2019/11/07/1

There's a link to the fix in the message above.
David Walser 2019-11-09 15:12:51 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Christiaan Welvaart 2019-11-09 15:19:16 CET 
Note that according to that mail the fix in a bundled libexif is not in chromium but in android.

CC: (none) => cjw

Comment 2 David Walser 2019-11-09 15:34:09 CET 
Thanks for the correction.  I was in a hurry.
Comment 3 Lewis Smith 2019-11-09 22:14:05 CET 
See also bug 25675 (for libvpx). Because...
(In reply to Christiaan Welvaart from comment #1)
> Note that according to that mail the fix in a bundled libexif is not in
> chromium but in android.
is analogous, and you (David) closed that other bug in consequence. I do not want to tread on toes, so please do likewise if appropriate.
OTOH if this bug remains valid, libexif has no maintainer so the bug needs assigning globally to pkg-bugs.

CC: (none) => lewyssmith

Comment 4 Nicolas Salguero 2019-11-13 10:44:28 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. (CVE-2019-9278)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
https://www.openwall.com/lists/oss-security/2019/11/07/1
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.21-14.1.mga7
lib(64)exif12-0.6.21-14.1.mga7
lib(64)exif-devel-0.6.21-14.1.mga7

from SRPMS:
libexif-0.6.21-14.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-9278

Comment 5 Lewis Smith 2019-11-13 18:53:20 CET 
Thank you Nicolas for pushing this bug along on the right rails.

CC: lewyssmith => (none)

Comment 6 Herman Viaene 2019-11-18 16:28:03 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues. Installed the exif packageas well, in the hope that exif will use its own libs.
exif /mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG 
EXIF-labels in '/mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG' ('Intel' byte-volgorde):
--------------------+----------------------------------------------------------
Label               |waarde
--------------------+----------------------------------------------------------
Beschrijving van afb|OLYMPUS DIGITAL CAMERA         
Fabrikant           |OLYMPUS IMAGING CORP.  
Model               |E-500           
Oriƫntatie          |Linksboven
x-resolutie         |314
x-resolutie         |314
Resolutieeenheid    |Inch
Programmatuur       |Version 1.0                    
Datum en tijd       |2019:01:01 00:22:51
and a lot more
Seems OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Thomas Backlund 2019-11-19 19:19:39 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 7 Mageia Robot 2019-11-19 22:18:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0331.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED