openSUSE has issued an advisory today (January 25): https://lists.opensuse.org/opensuse-updates/2018-01/msg00089.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated libexif packages fix security vulnerability: An out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which can cause denial-of-service or possibly information disclosure (CVE-2017-7544). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544 https://lists.opensuse.org/opensuse-updates/2018-01/msg00089.html ======================== Updated packages in core/updates_testing: ======================== libexif12-common-0.6.21-8.2.mga5 libexif12-0.6.21-8.2.mga5 libexif-devel-0.6.21-8.2.mga5 libexif12-common-0.6.21-9.2.mga6 libexif12-0.6.21-9.2.mga6 libexif-devel-0.6.21-9.2.mga6 from SRPMS: libexif-0.6.21-8.2.mga5.src.rpm libexif-0.6.21-9.2.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => MGA5TOO
MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref. bug 22277 Comment 1 for testing. exif displays the info ok.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Mageia 6 :: x86_64 There is a POC for this but the author is very security conscious and has encrypted the details to prevent exploits before the software was patched, so we shall forget about that. Found a digital camera image and tried exif on that and the information returned looked normal. Updated the libraries and checked the file again. $ exif DSCN0329.JPG EXIF tags in 'DSCN0329.JPG' ('Intel' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Image Description | Manufacturer |NIKON Model |COOLPIX P610 Orientation |Top-left X-Resolution |300 Y-Resolution |300 ............................................... Exif Version |Exif Version 2.3 Date and Time (Origi|2016:08:09 14:55:02 Date and Time (Digit|2016:08:09 14:55:02 Components Configura|Y Cb Cr - Compressed Bits per | 4 Exposure Bias |0.00 EV Maximum Aperture Val|3.40 EV (f/3.2) Metering Mode |Pattern Light Source |Unknown ................................................ Focal Length in 35mm|70 Scene Capture Type |Standard Gain Control |High gain down Contrast |Normal Saturation |Normal Sharpness |Normal Subject Distance Ran|Unknown Interoperability Ind|R98 Interoperability Ver|0100 --------------------+---------------------------------------------------------- EXIF data contains a thumbnail (6545 bytes). Same data. OK for 64 bits.
CC: (none) => tarazed25Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0113.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED