Bug 26622

No evident maintainer for this, so having to assign it globally.

Assignee: bugsquad => pkg-bugs

Fix pushed into cauldron.

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Pushed in updates testing.

Advisory:
========================

A new version of libexif.
It fixes CVE-2020-12767

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.21-14.2.mga7
libexif12-0.6.21-14.2.mga7
libexif-devel-0.6.21-14.2.mga7
libexif-debugsource-0.6.21-14.2.mga7
libexif12-debuginfo-0.6.21-14.2.mga7


from: libexif-0.6.21-14.2.mga7

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Advisory:
========================

Updated libexif packages fix security vulnerability:

exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero
error (CVE-2020-12767).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
https://usn.ubuntu.com/4358-1/

mga7, x86_64

A reproducer is listed against CVE-2020-12767 at https://github.com/libexif/libexif/issues/31 but it involves building a "fuzzer" using "infra/helper.py".  There are several instances of helper.py scripts on the system - which one?  This is a little outside QA's remit.

The package was already installed.  The library is used by a large number of packages including exif, caja, darktable, eom/eog, geequie, feh, ristretto and tellico.  Those examples have been used on a number of occasions without any problems.

Updated the packages.
$ rpm -qa | grep exif
lib64exif-devel-0.6.21-14.2.mga7
lib64exif12-0.6.21-14.2.mga7
libexif12-common-0.6.21-14.2.mga7

$ strace -o exif.trace exif LairigGhru_8.jpg
EXIF tags in 'LairigGhru_8.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Image Description   |                               
Manufacturer        |SONY
Model               |DSC-HX1
Orientation         |Top-left
Software            |Adobe Photoshop CS4 Windows
.............

$ grep exif exif.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/exif.mo", O_RDONLY) 

Browsed images:
$ strace -o astro.trace ristretto /data/astro
$ grep exif astro.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3
$ strace -o eom.trace eom *.png
$ grep exif eom.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3

No regressions.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Validating. Assuming the advisory in Comment 4 is the more correct.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

I really suggest upgrading to libexif 0.6.22 instead of trying to patch 0.6.21. I count patches for 6 CVEs in svn right now while 9 were announced for 0.6.22. There were also some changes in 0.6.22 that may have had security implications but didn't get a CVE. The newer version is highly compatible with the older one, although there are some minor output formatting differences that are more likely to affect test suites than anything else.

CC: (none) => dan

libexif update moved to Bug 26650.

Whiteboard: MGA7-64-OK => (none)
Keywords: validated_update => (none)
CC: sysadmin-bugs => qa-bugs
Assignee: qa-bugs => mageia

should we close this one dupplicate of https://bugs.mageia.org/show_bug.cgi?id=26650 ?

No, but we can only have one bug assigned to QA.

Assignee: qa-bugs => mageia

Fixed in:
https://advisories.mageia.org/MGASA-2020-0238.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED