Debian has issued an advisory on November 8: https://www.debian.org/security/2020/dsa-4786 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Ubuntu has issued an advisory for this today (November 10): https://ubuntu.com/security/notices/USN-4624-1
Severity: normal => major
Suggested advisory: ======================== The updated packages fix a security vulnerability: In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2020-0452) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0452 https://www.debian.org/security/2020/dsa-4786 https://ubuntu.com/security/notices/USN-4624-1 ======================== Updated packages in core/updates_testing: ======================== libexif12-common-0.6.22-1.2.mga7 lib(64)exif12-0.6.22-1.2.mga7 lib(64)exif-devel-0.6.22-1.2.mga7 from SRPM: libexif-0.6.22-1.2.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 7CVE: (none) => CVE-2020-0452Whiteboard: MGA7TOO => (none)
MGA7-64 MATE on Peaq C1011 No installation issues.? Testing along ther lines of previous updates. $ exif IMG_20200328_172150.jpg EXIF tags in 'IMG_20200328_172150.jpg' ('Motorola' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Image Width |1840 Image Length |3264 Bits per Sample |8, 8, 8 Manufacturer |HUAWEI Model |VTR-L09 etc ...... Looks OK, but $ exif RAW_NIKON_E5700_SRGB.NEF Corrupt data The data provided does not follow the specification. ExifLoader: The data supplied does not seem to contain EXIF data. [tester7@mach6 RawORF]$ exif P7212389.ORF Corrupt data The data provided does not follow the specification. ExifLoader: The data supplied does not seem to contain EXIF data. These are files that have been used in previous updates with success. Also opened the last one with UFRaw and there exif info shows.
CC: (none) => herman.viaene
Mageia 7 Plasma x86_64 This update installs: libexif12-common 0.6.22 1.2.mga7 x86_64 lib64exif12 0.6.22 1.2.mga7 x86_64 Installation OK. $ exif /home/aurelien/Images/Smartphone/IMG_20200502_162603.jpg Marqueurs EXIF dans « /home/aurelien/Images/Smartphone/IMG_20200502_162603.jpg » (ordre des octets « Motorola ») : --------------------+---------------------------------------------------------- Marqueur |Valeur --------------------+---------------------------------------------------------- Largeur de l'image |4000 Modèle |Mi 9T Pro Longueur de l'image |2250 Orientation |Droit-haut Date et heure |2020:05:02 16:26:05 Positionnement YCbCr|Centré Unité de la résoluti|pouces Résolution X |72 Résolution Y |72 Constructeur |Xiaomi Orientation |Droit-haut Compression |Compression JPEG Unité de la résoluti|pouces Résolution X |72 Résolution Y |72 Valeurs de vitesse I|112 Programme d'expositi|Programme normal Nombre d'ouverture |f/1,8 Temps d'exposition |1/131 sec. Méthode d'acquisitio|Non défini Temps inférieur à la|874909 Temps inférieur à la|874909 Temps inférieur à la|874909 Longueur focale |4,8 mm Flash |Le flash n'a pas déclenché, mode auto Source lumineuse |D65 Mode de mesure |Pondération centrale Type de capture de l|Standard Longueur focale dans|26 Valeur d'ouverture m|1,61 EV (f/1,7) Date et heure (numér|2020:05:02 16:26:05 Correction d'exposit|0,00 EV Dimension Y du pixel|2250 Balance des blancs |Balance des blancs automatique Date et heure (origi|2020:05:02 16:26:05 Luminosité |3,73 EV (45,46 cd/m²) Dimension X du pixel|4000 Mode d'exposition |Exposition automatique Ouverture |1,61 EV (f/1,7) Configuration des co|Y Cb Cr - Espace des couleurs |sRGB Type de scène |Photographié directement Vitesse d'obturation|7,03 EV (1/131 sec.) Version d'exif |Exif version 2.2 FlashPixVersion |FlashPix version 1.0 Latitude Nord ou Sud|N Latitude |49, 37, 3,3312 Longitude Est ou Oue|E Longitude | 3, 12, 10,7891 Référence d'altitude|Niveau de la mer Altitude |72,626 Heure GPS (horloge a|14:26:04,00 Nom de la méthode de|12 octets de données inconnues Date GPS |2020:05:02 Index d'interopérabi|R98 Version d'interopéra|0100 --------------------+---------------------------------------------------------- Les données EXIF contiennent une vignette (11638 octets). @Herman, $ urpmq -i exif Summary : Command line tools to access EXIF extensions in JPEG files Description : Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags. This package contains a command line frontend for the EXIF library. I really don't think it can be tested on RAW files like NEF (NIKON)... MGA7-OK-64 for me.
CC: (none) => ouaurelien
Whiteboard: (none) => MGA7-64-OK
No installation issues. Using exif on an image from a Canon digital camera, I get the following: $ exif IMG_0704.JPG EXIF tags in 'IMG_0704.JPG' ('Intel' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Manufacturer |Canon Model |Canon PowerShot A540 Orientation |Left-bottom X-Resolution |180 Y-Resolution |180 Resolution Unit |Inch Date and Time |2020:08:06 20:43:34 YCbCr Positioning |Centered Compression |JPEG compression X-Resolution |180 Y-Resolution |180 Resolution Unit |Inch Exposure Time |1/60 sec. F-Number |f/2.6 Exif Version |Exif Version 2.2 Date and Time (Origi|2020:08:06 20:43:34 Date and Time (Digit|2020:08:06 20:43:34 Components Configura|Y Cb Cr - Compressed Bits per | 5 Shutter Speed |5.91 EV (1/60 sec.) Aperture |2.75 EV (f/2.6) Exposure Bias |0.00 EV Maximum Aperture Val|2.75 EV (f/2.6) Metering Mode |Pattern Flash |Flash fired, auto mode, red-eye reduction mode Focal Length |5.8 mm Maker Note |1882 bytes undefined data User Comment | FlashPixVersion |FlashPix Version 1.0 Color Space |sRGB Pixel X Dimension |2816 Pixel Y Dimension |2112 Focal Plane X-Resolu|12515.556 Focal Plane Y-Resolu|12497.041 Focal Plane Resoluti|Inch Sensing Method |One-chip color area sensor File Source |DSC Custom Rendered |Normal process Exposure Mode |Auto exposure White Balance |Auto white balance Digital Zoom Ratio |1.0000 Scene Capture Type |Standard Interoperability Ind|R98 Interoperability Ver|0100 RelatedImageWidth |2816 RelatedImageLength |2112 --------------------+---------------------------------------------------------- EXIF data contains a thumbnail (4491 bytes). I saw similar data from images taken by an Olympus camera. @Herman: Attempting to get exif data from a jpg image that wasn't directly from a camera, one that had been edited with The GIMP or created with a scanner, resulted in the same error messages you saw. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Urpmq --whatrequires shows Thunar to have lib64exif12 as a dependency, and Thunar also shows some exif data with the "Image" tab under "Properties" for jpg images that were directly from a camera, confirming the update.
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0426.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED