Debian-LTS has issued an advisory on May 18: https://www.debian.org/lts/security/2020/dla-2214 Mageia 7 is also affected.
Status comment: (none) => Patch available from DebianWhiteboard: (none) => MGA7TOO
In the light of variable committers for this SRPM, assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. (CVE-2020-0093) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093 https://www.debian.org/lts/security/2020/dla-2214 ======================== Updated packages in core/updates_testing: ======================== libexif12-common-0.6.21-14.3.mga7 lib(64)exif12-0.6.21-14.3.mga7 lib(64)exif-devel-0.6.21-14.3.mga7 from SRPMS: libexif-0.6.21-14.3.mga7.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)Status comment: Patch available from Debian => (none)Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroCVE: (none) => CVE-2020-0093
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25674 for testing. exif /mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG EXIF tags in '/mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG' ('Intel' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Image Description |OLYMPUS DIGITAL CAMERA Manufacturer |OLYMPUS IMAGING CORP. Model |E-500 Orientation |Top-left etc.... Looks OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Comment from Dan Fandrich: "I really suggest upgrading to libexif 0.6.22 instead of trying to patch 0.6.21. I count patches for 6 CVEs in svn right now while 9 were announced for 0.6.22. There were also some changes in 0.6.22 that may have had security implications but didn't get a CVE. The newer version is highly compatible with the older one, although there are some minor output formatting differences that are more likely to affect test suites than anything else." Dan, what other CVEs? Do you have a reference for all of this?
CC: (none) => danBlocks: (none) => 26622Keywords: (none) => feedback
(In reply to Thomas Andrews from comment #4) > Validating. Advisory in Comment 2. Note the advisory for this update has to combine: https://bugs.mageia.org/show_bug.cgi?id=26622#c4 https://bugs.mageia.org/show_bug.cgi?id=26650#c2
The 9 are listed at https://libexif.github.io/
Thanks. Nicolas, can you update this?
Keywords: validated_update => (none)Whiteboard: MGA7-64-OK => (none)
Nicolas Lécureuil updated libexif and exif to 0.6.22. libexif12-common-0.6.22-1.mga7 libexif12-0.6.22-1.mga7 libexif-devel-0.6.22-1.mga7 exif-0.6.22-1.mga7 from SRPMS: libexif-0.6.22-1.mga7.src.rpm exif-0.6.22-1.mga7.src.rpm exif is just a bugfix update. libexif fixes: CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-0093, CVE-2020-12767 https://github.com/libexif/libexif/blob/libexif-0_6_22-release/NEWS https://github.com/libexif/exif/blob/exif-0_6_22-release/NEWS
Summary: libexif new security issue CVE-2020-0093 => libexif new security issues CVE-2020-0093 and CVE-2020-1311[2-4]Keywords: feedback => (none)
Tested new version $ exif /mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG EXIF tags in '/mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG' ('Intel' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Image Description |OLYMPUS DIGITAL CAMERA Manufacturer |OLYMPUS IMAGING CORP. Model |E-500 Orientation |Top-left X-Resolution |314 Y-Resolution |314 Resolution Unit |Inch Software |Version 1.0 Date and Time |2019:01:01 00:22:51 ........ Looks OK
Whiteboard: (none) => MGA7-64-OK
Advisory: ======================== Updated libexif packages fix security vulnerabilities: In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation (CVE-2020-0093). exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error (CVE-2020-12767). An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes (CVE-2020-13112). An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions (CVE-2020-13113). An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data (CVE-2020-13114). The libexif package has been updated to version 0.6.22, fixing these issues and other bugs. Also, the exif package has been updated to version 0.6.22. See the upstream NEWS files for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114 https://github.com/libexif/libexif/blob/libexif-0_6_22-release/NEWS https://github.com/libexif/exif/blob/exif-0_6_22-release/NEWS
Validating once more. Advisory in Comment 11.
Keywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0238.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This update also fixed CVE-2020-0182: https://www.debian.org/lts/security/2020/dla-2249