Bug 24373 - libexif new security issue CVE-2018-20030
Summary: libexif new security issue CVE-2018-20030
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-16 17:40 CET by David Walser
Modified: 2019-02-20 23:19 CET (History)
3 users (show)

See Also:
Source RPM: libexif-0.6.21-9.2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-02-16 17:40:14 CET 
Fedora has issued an advisory on February 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVC5KUWUCW5SKSBJOLGYSLCWLZE54JC4/

Patched packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated libexif packages fix security vulnerability:

It was found that specially crafted XIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF
tags could be used for a denial of service (CVE-2018-20030).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVC5KUWUCW5SKSBJOLGYSLCWLZE54JC4/
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.21-9.3.mga6
libexif12-0.6.21-9.3.mga6
libexif-devel-0.6.21-9.3.mga6

from libexif-0.6.21-9.3.mga6.src.rpm
Comment 1 Len Lawrence 2019-02-18 20:53:45 CET 
mga6, x86_64

Installed the current packages.

CVE-2018-20030
DOS vulnerability.
No POC available.

$ strace -o trace eom Sutherland_1.jpg
Manipulated the image.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3

$ strace -o trace eog LochCluanie_10.jpg
Rotated the image then browsed other images.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3
open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_GB/LC_MESSAGES/libexif-12.mo", O_RDONLY) = 11

Ran caja and selected an imaged directory and clicked on an image, which was displayed via eom.

Ran the GIMP under strace, selected an image, scaled it, changed contrast and brightness and saved it as an xcf file.
$ grep exif trace
write(13, "\0\0\0\35plug-in-metadata-decode-exif"..., 512) = 512
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29
read(10, "plug-in-metadata-decode-exif\0", 29) = 29

Does that relate to libexif?

Installed feh and ran that under strace.  Displayed an image, switched fullscreen and back, rotated the image and showed information.
$ grep exif trace
open("/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3

Looks like it is working fine.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Dave Hodgins 2019-02-20 22:01:06 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2019-02-20 23:19:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0095.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.