Bug 26814

Summary: libexif new security issue CVE-2020-0198
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libexif-0.6.22-1.mga7.src.rpm CVE: CVE-2020-0198
Status comment:

Description David Walser 2020-06-18 18:02:06 CEST 
Debian-LTS has issued an advisory on June 13:
https://www.debian.org/lts/security/2020/dla-2249

Mageia 7 is also affected.
Comment 1 David Walser 2020-06-18 18:03:34 CEST 
Ubuntu has issued an advisory for this on June 16:
https://usn.ubuntu.com/4396-1/

Whiteboard: (none) => MGA7TOO

Comment 2 Lewis Smith 2020-06-18 20:29:37 CEST 
This has no regular maintainer, so assigning it globally. But CC'ing both Nicolas' who have committed it recently.

CC: (none) => mageia, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2020-06-20 21:30:28 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. (CVE-2020-0198)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0198
https://www.debian.org/lts/security/2020/dla-2249
https://usn.ubuntu.com/4396-1/
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.22-1.1.mga7
lib(64)exif12-0.6.22-1.1.mga7
lib(64)exif-devel-0.6.22-1.1.mga7

from SRPMS:
libexif-0.6.22-1.1.mga7.src.rpm

CVE: (none) => CVE-2020-0198
Version: Cauldron => 7
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2020-06-21 16:36:54 CEST 
mga7, x86_64

No PoC listed for CVE-2020-0198.
Working with JPEG and raw RAF format images before update.

Updated libexif12-common
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  lib64exif-devel                0.6.22       1.1.mga7      x86_64  
  lib64exif12                    0.6.22       1.1.mga7      x86_64  
  libexif12-common               0.6.22       1.1.mga7      x86_64  

RAW .RAF files rely on JPEG compression.
$ exif RAW_FUJI_S5PRO_V106.RAF
EXIF tags in 'RAW_FUJI_S5PRO_V106.RAF' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |FUJIFILM
Model               |FinePix S5Pro  
Orientation         |Top-left
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Software            |Digital Camera FinePix S5Pro   Ver1.06
Date and Time       |2007:05:27 13:55:17
[...]
Gamma               |2.2
GPS Tag Version     |2.2.0.0
Interoperability Ind|R03
Interoperability Ver|0100
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (9330 bytes).

$ exif GlenShiel.jpg
EXIF tags in 'GlenShiel.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |Panasonic
Model               |DMC-FZ28
Orientation         |Top-left
X-Resolution        |180
Y-Resolution        |180
...

$ exif glenShiel.j2k
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.

$ exif GlenShiel.tif  
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.

Those messages are expected.

ristretto is  an application which uses libexif.
Browsed an image folder:
$ strace -o astro.trace ristretto /data/astro
$ grep exif astro.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.4", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

$ strace -o exif.trace darktable LairigGhru_4.jpg
$ grep libexif exif.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.4", O_RDONLY) = 3

Good enough.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2020-06-23 15:24:53 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 00:04:50 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-07-05 00:48:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0273.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 7 David Walser 2020-11-05 23:03:29 CET 
*** Bug 27561 has been marked as a duplicate of this bug. ***
Comment 8 David Walser 2020-11-05 23:04:11 CET 
(In reply to David Walser from comment #7)
> *** Bug 27561 has been marked as a duplicate of this bug. ***

This update also fixed CVE-2020-0181, and CVE-2020-0182 was fixed in 0.6.22.

Status: RESOLVED => UNCONFIRMED
Ever confirmed: 1 => 0
Resolution: FIXED => (none)

Comment 9 Aurelien Oudelet 2020-11-08 11:20:19 CET 
Status of this bug report?

CC: (none) => ouaurelien
Whiteboard: MGA7-64-OK => (none)
Keywords: advisory, validated_update => NEEDINFO

Aurelien Oudelet 2020-11-08 11:45:31 CET

Keywords: NEEDINFO => feedback

David Walser 2020-11-08 14:41:30 CET

Whiteboard: (none) => MGA7-64-OK
Keywords: feedback => advisory, validated_update

Comment 10 David Walser 2020-11-08 14:42:31 CET 
I have no idea why marking a duplicate re-opened this bug.

Status: UNCONFIRMED => RESOLVED
Resolution: (none) => FIXED