Bug 26650 - libexif new security issues CVE-2020-0093 and CVE-2020-1311[2-4]
Summary: libexif new security issues CVE-2020-0093 and CVE-2020-1311[2-4]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 26622
  Show dependency treegraph
 
Reported: 2020-05-20 04:14 CEST by David Walser
Modified: 2020-05-27 21:07 CEST (History)
6 users (show)

See Also:
Source RPM: libexif-0.6.21-14.2.mga7.rpm
CVE: CVE-2020-0093
Status comment:


Attachments

Description David Walser 2020-05-20 04:14:33 CEST
Debian-LTS has issued an advisory on May 18:
https://www.debian.org/lts/security/2020/dla-2214

Mageia 7 is also affected.
David Walser 2020-05-20 04:15:00 CEST

Status comment: (none) => Patch available from Debian
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-05-20 20:19:09 CEST
In the light of variable committers for this SRPM, assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-05-21 11:50:09 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. (CVE-2020-0093)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
https://www.debian.org/lts/security/2020/dla-2214
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.21-14.3.mga7
lib(64)exif12-0.6.21-14.3.mga7
lib(64)exif-devel-0.6.21-14.3.mga7

from SRPMS:
libexif-0.6.21-14.3.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Patch available from Debian => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-0093

Comment 3 Herman Viaene 2020-05-21 13:55:24 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 25674 for testing.
 exif /mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG 
EXIF tags in '/mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Image Description   |OLYMPUS DIGITAL CAMERA         
Manufacturer        |OLYMPUS IMAGING CORP.  
Model               |E-500           
Orientation         |Top-left
etc....

Looks OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-21 14:09:12 CEST
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2020-05-21 14:17:31 CEST
Comment from Dan Fandrich:
"I really suggest upgrading to libexif 0.6.22 instead of trying to patch 0.6.21. I count patches for 6 CVEs in svn right now while 9 were announced for 0.6.22. There were also some changes in 0.6.22 that may have had security implications but didn't get a CVE. The newer version is highly compatible with the older one, although there are some minor output formatting differences that are more likely to affect test suites than anything else."

Dan, what other CVEs?  Do you have a reference for all of this?

CC: (none) => dan
Blocks: (none) => 26622
Keywords: (none) => feedback

Comment 6 David Walser 2020-05-21 14:18:05 CEST
(In reply to Thomas Andrews from comment #4)
> Validating. Advisory in Comment 2.

Note the advisory for this update has to combine:
https://bugs.mageia.org/show_bug.cgi?id=26622#c4
https://bugs.mageia.org/show_bug.cgi?id=26650#c2
Comment 7 Dan Fandrich 2020-05-21 14:35:12 CEST
The 9 are listed at https://libexif.github.io/
Comment 8 David Walser 2020-05-21 14:37:09 CEST
Thanks.  Nicolas, can you update this?

Keywords: validated_update => (none)
Whiteboard: MGA7-64-OK => (none)

Comment 9 David Walser 2020-05-21 22:33:46 CEST
Nicolas Lécureuil updated libexif and exif to 0.6.22.

libexif12-common-0.6.22-1.mga7
libexif12-0.6.22-1.mga7
libexif-devel-0.6.22-1.mga7
exif-0.6.22-1.mga7

from SRPMS:
libexif-0.6.22-1.mga7.src.rpm
exif-0.6.22-1.mga7.src.rpm

exif is just a bugfix update.  libexif fixes:
CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-0093, CVE-2020-12767

https://github.com/libexif/libexif/blob/libexif-0_6_22-release/NEWS
https://github.com/libexif/exif/blob/exif-0_6_22-release/NEWS

Summary: libexif new security issue CVE-2020-0093 => libexif new security issues CVE-2020-0093 and CVE-2020-1311[2-4]
Keywords: feedback => (none)

Comment 10 Herman Viaene 2020-05-22 14:57:51 CEST
Tested new version
$ exif /mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG 
EXIF tags in '/mnt/beelden/Pictures/2019/20190101Nieuwjaar/P1013877.JPG' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Image Description   |OLYMPUS DIGITAL CAMERA         
Manufacturer        |OLYMPUS IMAGING CORP.  
Model               |E-500           
Orientation         |Top-left
X-Resolution        |314
Y-Resolution        |314
Resolution Unit     |Inch
Software            |Version 1.0                    
Date and Time       |2019:01:01 00:22:51
........
Looks OK

Whiteboard: (none) => MGA7-64-OK

Comment 11 David Walser 2020-05-24 16:16:57 CEST
Advisory:
========================

Updated libexif packages fix security vulnerabilities:

In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds
read due to a missing bounds check. This could lead to local information
disclosure with no additional execution privileges needed. User interaction is
needed for exploitation (CVE-2020-0093).

exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero
error (CVE-2020-12767).

An issue was discovered in libexif before 0.6.22. Several buffer over-reads in
EXIF MakerNote handling could lead to information disclosure and crashes
(CVE-2020-13112).

An issue was discovered in libexif before 0.6.22. Use of uninitialized memory
in EXIF Makernote handling could lead to crashes and potential use-after-free
conditions (CVE-2020-13113).

An issue was discovered in libexif before 0.6.22. An unrestricted size in
handling Canon EXIF MakerNote data could lead to consumption of large amounts
of compute time for decoding EXIF data (CVE-2020-13114).

The libexif package has been updated to version 0.6.22, fixing these issues
and other bugs.

Also, the exif package has been updated to version 0.6.22.  See the upstream
NEWS files for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
https://github.com/libexif/libexif/blob/libexif-0_6_22-release/NEWS
https://github.com/libexif/exif/blob/exif-0_6_22-release/NEWS
Comment 12 Thomas Andrews 2020-05-26 03:43:15 CEST
Validating once more. Advisory in Comment 11.

Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 14:57:09 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 13 Mageia Robot 2020-05-27 21:07:49 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0238.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.