Bug 26814 - libexif new security issue CVE-2020-0198
Summary: libexif new security issue CVE-2020-0198
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-18 18:02 CEST by David Walser
Modified: 2020-07-05 00:48 CEST (History)
5 users (show)

See Also:
Source RPM: libexif-0.6.22-1.mga7.src.rpm
CVE: CVE-2020-0198
Status comment:


Attachments

Description David Walser 2020-06-18 18:02:06 CEST
Debian-LTS has issued an advisory on June 13:
https://www.debian.org/lts/security/2020/dla-2249

Mageia 7 is also affected.
Comment 1 David Walser 2020-06-18 18:03:34 CEST
Ubuntu has issued an advisory for this on June 16:
https://usn.ubuntu.com/4396-1/

Whiteboard: (none) => MGA7TOO

Comment 2 Lewis Smith 2020-06-18 20:29:37 CEST
This has no regular maintainer, so assigning it globally. But CC'ing both Nicolas' who have committed it recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => mageia, nicolas.salguero

Comment 3 Nicolas Salguero 2020-06-20 21:30:28 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. (CVE-2020-0198)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0198
https://www.debian.org/lts/security/2020/dla-2249
https://usn.ubuntu.com/4396-1/
========================

Updated packages in core/updates_testing:
========================
libexif12-common-0.6.22-1.1.mga7
lib(64)exif12-0.6.22-1.1.mga7
lib(64)exif-devel-0.6.22-1.1.mga7

from SRPMS:
libexif-0.6.22-1.1.mga7.src.rpm

Version: Cauldron => 7
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-0198
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 4 Len Lawrence 2020-06-21 16:36:54 CEST
mga7, x86_64

No PoC listed for CVE-2020-0198.
Working with JPEG and raw RAF format images before update.

Updated libexif12-common
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  lib64exif-devel                0.6.22       1.1.mga7      x86_64  
  lib64exif12                    0.6.22       1.1.mga7      x86_64  
  libexif12-common               0.6.22       1.1.mga7      x86_64  

RAW .RAF files rely on JPEG compression.
$ exif RAW_FUJI_S5PRO_V106.RAF
EXIF tags in 'RAW_FUJI_S5PRO_V106.RAF' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |FUJIFILM
Model               |FinePix S5Pro  
Orientation         |Top-left
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Software            |Digital Camera FinePix S5Pro   Ver1.06
Date and Time       |2007:05:27 13:55:17
[...]
Gamma               |2.2
GPS Tag Version     |2.2.0.0
Interoperability Ind|R03
Interoperability Ver|0100
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (9330 bytes).

$ exif GlenShiel.jpg
EXIF tags in 'GlenShiel.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |Panasonic
Model               |DMC-FZ28
Orientation         |Top-left
X-Resolution        |180
Y-Resolution        |180
...

$ exif glenShiel.j2k
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.

$ exif GlenShiel.tif  
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.

Those messages are expected.

ristretto is  an application which uses libexif.
Browsed an image folder:
$ strace -o astro.trace ristretto /data/astro
$ grep exif astro.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.4", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libexif-12.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

$ strace -o exif.trace darktable LairigGhru_4.jpg
$ grep libexif exif.trace
openat(AT_FDCWD, "/lib64/libexif.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexif.so.12.3.4", O_RDONLY) = 3

Good enough.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2020-06-23 15:24:53 CEST
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 00:04:50 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-07-05 00:48:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0273.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.