Bug 29038

Summary: exif new security issue CVE-2021-27815
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: exif-0.6.22-1.mga8.src.rpm CVE: CVE-2021-27815
Status comment:

Description David Walser 2021-05-30 03:51:38 CEST 
Fedora has issued an advisory on May 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMC6OTXZRPCUD3LOSWO4ISR7CH7NJQDT/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-30 03:51:50 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-05-30 21:05:50 CEST 
Another homeless SRPM, so assigning this to everyone.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-02 14:10:11 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash. (CVE-2021-27815)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27815
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMC6OTXZRPCUD3LOSWO4ISR7CH7NJQDT/
========================

Updated package in 7/core/updates_testing:
========================
exif-0.6.22-1.1.mga7

from SRPM:
exif-0.6.22-1.1.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
exif-0.6.22-1.1.mga8

from SRPM:
exif-0.6.22-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CVE: (none) => CVE-2021-27815
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from Fedora => (none)

Comment 3 Len Lawrence 2021-06-04 01:55:34 CEST 
mga8, x64

Before update:
CVE-2021-27815
https://github.com/libexif/exif/issues/4
$ exif poc.jpeg -x
<exif>
Segmentation fault (core dumped)

-x specifies output as XML.  Without a specifier the image file report looks normal.

Updated exif and tried the PoC.
$ exif poc.jpeg -x
<exif>
	<Manufacturer>empty string</Manufacturer>
	<Model>ORATION</Model>
	<Orientation>Top-left</Orientation>
	<X-Resolution>1.104123369</X-Resolution>
	<Y-Resolution>300</Y-Resolution>
	<Resolution_Unit>Inch</Resolution_Unit>
	<Software>empty string</Software>
	<Date_and_Time>empty string</Date_and_Time>
	<Exif_Version>Exif Version 2.1</Exif_Version>
	<FlashPixVersion>FlashPix Version 1.0</FlashPixVersion>
	<Colour_Space>Uncalibrated</Colour_Space>
</exif>

Good result.

Ran exif against a few files.
$ exif -i PIA02471_800.jpg
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.
$ exif earth_cassinimessenger.jpg
EXIF tags in 'earth_cassinimessenger.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Orientation         |Top-left
X-Resolution        |72.0000
Y-Resolution        |72.0000
Resolution Unit     |Inch
Software            |Adobe Photoshop CS6 (Windows)
Date and Time       |2013:07:22 11:33:57
Compression         |JPEG compression
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Colour Space        |sRGB
Pixel X Dimension   |1799
Pixel Y Dimension   |958
Exif Version        |Exif Version 2.1
FlashPixVersion     |FlashPix Version 1.0
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (5295 bytes).
$ exif -i earth_cassinimessenger.jpg
EXIF tags in 'earth_cassinimessenger.jpg' ('Motorola' byte order):
------+------------------------------------------------------------------------
Tag   |Value
------+------------------------------------------------------------------------
0x0112|Top-left
0x011a|72.0000
0x011b|72.0000
0x0128|Inch
0x0131|Adobe Photoshop CS6 (Windows)
.....

$ exif -e -o thumbnail earth_cassinimessenger.jpg
Wrote file 'thumbnail'.
lcl@canopus:ss $ file thumbnail
thumbnail: JPEG image data, baseline, precision 8, 160x85, components 3

The thumbnail showed the Earth-moon as a dot under Saturn's rings but the captions were unreadable.

$ exif --tag=Software earth_cassinimessenger.jpg
EXIF entry 'Software' (0x131, 'Software') exists in IFD '0':
Tag: 0x131 ('Software')
  Format: 2 ('ASCII')
  Components: 30
  Size: 30
  Value: Adobe Photoshop CS6 (Windows)

Machine readable output:
$ exif -l -m ISS_Sun_Ergun.jpg
EXIF tags in 'ISS_Sun_Ergun.jpg':              0      1    EXIF    GPS  Interop
0x0000 GPS Tag Version                         -      -      -      -      -   
0x0001 Interoperability Index                  -      -      -      -      -   
0x0002 Interoperability Version                -      -      -      -      -   
[...]
0xa500 Gamma                                   -      -      -      -      -   
0xc4a5 PRINT Image Matching                    -      -      -      -      -   
0xea1c Padding                                 -      -      -      -      -   

Copied a file which did not appear to have any EXIF data and added a template containing a number of empty tag fields.$ exif -c pia02471.jpg 
Wrote file 'pia02471.jpg.modified.jpeg'.
$ exif -l pia02471.jpg.modified.jpeg
EXIF tags in 'pia02471.jpg.modified.jpeg':     0      1    EXIF    GPS  Interop
0x0000 GPS Tag Version                         -      -      -      -      -   
0x0001 Interoperability Index                  -      -      -      -      -   
......

Actually setting the values of any tags is not so easy, Colour Space for instance:
$ exif --ifd=0 --tag=0xa001 --set-value='sRGB' pia02471.jpg.modified.jpeg
Numeric value expected

At a guess sRGB has some numerical equivalent.
That is as far as it goes for this one.  Giving it an OK.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-06-09 19:45:34 CEST 
Mageia 7, x86_64

Before update:
$ exif poc.jpeg -x
<exif>
Segmentation fault (core dumped)

After updating exif the PoC produced XML code without crashing.

$ exif PIA21923_CassiniVIMSTitan_MAIN.jpg
EXIF tags in 'PIA21923_CassiniVIMSTitan_MAIN.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Orientation         |Top-left
X-Resolution        |300.0000
Y-Resolution        |300.0000
Resolution Unit     |Inch
Software            |Adobe Photoshop CC 2015.5 (Macintosh)
Date and Time       |2018:07:09 16:06:26
Compression         |JPEG compression
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Colour Space        |sRGB
Pixel X Dimension   |5448
Pixel Y Dimension   |3686
Exif Version        |Exif Version 2.1
FlashPixVersion     |FlashPix Version 1.0
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (5037 bytes).

$ exif -i PIA21923_CassiniVIMSTitan_MAIN.jpg
EXIF tags in 'PIA21923_CassiniVIMSTitan_MAIN.jpg' ('Motorola' byte order):
------+------------------------------------------------------------------------
Tag   |Value
------+------------------------------------------------------------------------
0x0112|Top-left
0x011a|300.0000
...........

Extracted thumbnail.
$ exif -e -o minititan PIA21923_CassiniVIMSTitan_MAIN.jpg
Wrote file 'minititan'.

The image displays OK.
$ file PIA21923_CassiniVIMSTitan_MAIN.jpg minititan
PIA21923_CassiniVIMSTitan_MAIN.jpg: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC 2015.5 (Macintosh), datetime=2018:07:09 16:06:26], baseline, precision 8, 5448x3686, components 3
minititan:                          JPEG image data, baseline, precision 8, 160x108, components 3

$ exif PIA06227_Titan.jpg
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.
$ cp PIA06227_Titan.jpg pia06227.jpg
$ exif -c pia06227.jpg 
Wrote file 'pia06227.jpg.modified.jpeg'
$ exif -l pia06227.jpg.modified.jpeg
EXIF tags in 'pia06227.jpg.modified.jpeg':     0      1    EXIF    GPS  Interop
0x0000 GPS Tag Version                         -      -      -      -      -   
0x0001 Interoperability Index                  -      -      -      -      -   
0x0002 Interoperability Version                -      -      -      -      -   
0x0003 East or West Longitude                  -      -      -      -      -
..................

This will do for mga7.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 5 Thomas Andrews 2021-06-12 18:21:35 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-06-12 22:15:28 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2021-06-13 23:34:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0252.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED