Ubuntu has issued an advisory on May 13: https://usn.ubuntu.com/4358-1/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No evident maintainer for this, so having to assign it globally.
Assignee: bugsquad => pkg-bugs
Fix pushed into cauldron.
CC: (none) => mageiaVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Pushed in updates testing. Advisory: ======================== A new version of libexif. It fixes CVE-2020-12767 Updated packages in core/updates_testing: ======================== libexif12-common-0.6.21-14.2.mga7 libexif12-0.6.21-14.2.mga7 libexif-devel-0.6.21-14.2.mga7 libexif-debugsource-0.6.21-14.2.mga7 libexif12-debuginfo-0.6.21-14.2.mga7 from: libexif-0.6.21-14.2.mga7
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Advisory: ======================== Updated libexif packages fix security vulnerability: exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error (CVE-2020-12767). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767 https://usn.ubuntu.com/4358-1/
mga7, x86_64 A reproducer is listed against CVE-2020-12767 at https://github.com/libexif/libexif/issues/31 but it involves building a "fuzzer" using "infra/helper.py". There are several instances of helper.py scripts on the system - which one? This is a little outside QA's remit. The package was already installed. The library is used by a large number of packages including exif, caja, darktable, eom/eog, geequie, feh, ristretto and tellico. Those examples have been used on a number of occasions without any problems. Updated the packages. $ rpm -qa | grep exif lib64exif-devel-0.6.21-14.2.mga7 lib64exif12-0.6.21-14.2.mga7 libexif12-common-0.6.21-14.2.mga7 $ strace -o exif.trace exif LairigGhru_8.jpg EXIF tags in 'LairigGhru_8.jpg' ('Motorola' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Image Description | Manufacturer |SONY Model |DSC-HX1 Orientation |Top-left Software |Adobe Photoshop CS4 Windows ............. $ grep exif exif.trace openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/exif.mo", O_RDONLY) Browsed images: $ strace -o astro.trace ristretto /data/astro $ grep exif astro.trace openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3 $ strace -o eom.trace eom *.png $ grep exif eom.trace openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.3", O_RDONLY) = 3 No regressions.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Assuming the advisory in Comment 4 is the more correct.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
I really suggest upgrading to libexif 0.6.22 instead of trying to patch 0.6.21. I count patches for 6 CVEs in svn right now while 9 were announced for 0.6.22. There were also some changes in 0.6.22 that may have had security implications but didn't get a CVE. The newer version is highly compatible with the older one, although there are some minor output formatting differences that are more likely to affect test suites than anything else.
CC: (none) => dan
Depends on: (none) => 26650
libexif update moved to Bug 26650.
Whiteboard: MGA7-64-OK => (none)Keywords: validated_update => (none)CC: sysadmin-bugs => qa-bugsAssignee: qa-bugs => mageia
should we close this one dupplicate of https://bugs.mageia.org/show_bug.cgi?id=26650 ?
Assignee: mageia => qa-bugs
No, but we can only have one bug assigned to QA.
Assignee: qa-bugs => mageia
Fixed in: https://advisories.mageia.org/MGASA-2020-0238.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED