Fedora has issued an advisory on May 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMC6OTXZRPCUD3LOSWO4ISR7CH7NJQDT/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO, MGA7TOO
Another homeless SRPM, so assigning this to everyone.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash. (CVE-2021-27815) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27815 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QMC6OTXZRPCUD3LOSWO4ISR7CH7NJQDT/ ======================== Updated package in 7/core/updates_testing: ======================== exif-0.6.22-1.1.mga7 from SRPM: exif-0.6.22-1.1.mga7.src.rpm Updated package in 8/core/updates_testing: ======================== exif-0.6.22-1.1.mga8 from SRPM: exif-0.6.22-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOCVE: (none) => CVE-2021-27815Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsStatus comment: Patch available from Fedora => (none)
mga8, x64 Before update: CVE-2021-27815 https://github.com/libexif/exif/issues/4 $ exif poc.jpeg -x <exif> Segmentation fault (core dumped) -x specifies output as XML. Without a specifier the image file report looks normal. Updated exif and tried the PoC. $ exif poc.jpeg -x <exif> <Manufacturer>empty string</Manufacturer> <Model>ORATION</Model> <Orientation>Top-left</Orientation> <X-Resolution>1.104123369</X-Resolution> <Y-Resolution>300</Y-Resolution> <Resolution_Unit>Inch</Resolution_Unit> <Software>empty string</Software> <Date_and_Time>empty string</Date_and_Time> <Exif_Version>Exif Version 2.1</Exif_Version> <FlashPixVersion>FlashPix Version 1.0</FlashPixVersion> <Colour_Space>Uncalibrated</Colour_Space> </exif> Good result. Ran exif against a few files. $ exif -i PIA02471_800.jpg Corrupt data The data provided does not follow the specification. ExifLoader: The data supplied does not seem to contain EXIF data. $ exif earth_cassinimessenger.jpg EXIF tags in 'earth_cassinimessenger.jpg' ('Motorola' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Orientation |Top-left X-Resolution |72.0000 Y-Resolution |72.0000 Resolution Unit |Inch Software |Adobe Photoshop CS6 (Windows) Date and Time |2013:07:22 11:33:57 Compression |JPEG compression X-Resolution |72 Y-Resolution |72 Resolution Unit |Inch Colour Space |sRGB Pixel X Dimension |1799 Pixel Y Dimension |958 Exif Version |Exif Version 2.1 FlashPixVersion |FlashPix Version 1.0 --------------------+---------------------------------------------------------- EXIF data contains a thumbnail (5295 bytes). $ exif -i earth_cassinimessenger.jpg EXIF tags in 'earth_cassinimessenger.jpg' ('Motorola' byte order): ------+------------------------------------------------------------------------ Tag |Value ------+------------------------------------------------------------------------ 0x0112|Top-left 0x011a|72.0000 0x011b|72.0000 0x0128|Inch 0x0131|Adobe Photoshop CS6 (Windows) ..... $ exif -e -o thumbnail earth_cassinimessenger.jpg Wrote file 'thumbnail'. lcl@canopus:ss $ file thumbnail thumbnail: JPEG image data, baseline, precision 8, 160x85, components 3 The thumbnail showed the Earth-moon as a dot under Saturn's rings but the captions were unreadable. $ exif --tag=Software earth_cassinimessenger.jpg EXIF entry 'Software' (0x131, 'Software') exists in IFD '0': Tag: 0x131 ('Software') Format: 2 ('ASCII') Components: 30 Size: 30 Value: Adobe Photoshop CS6 (Windows) Machine readable output: $ exif -l -m ISS_Sun_Ergun.jpg EXIF tags in 'ISS_Sun_Ergun.jpg': 0 1 EXIF GPS Interop 0x0000 GPS Tag Version - - - - - 0x0001 Interoperability Index - - - - - 0x0002 Interoperability Version - - - - - [...] 0xa500 Gamma - - - - - 0xc4a5 PRINT Image Matching - - - - - 0xea1c Padding - - - - - Copied a file which did not appear to have any EXIF data and added a template containing a number of empty tag fields.$ exif -c pia02471.jpg Wrote file 'pia02471.jpg.modified.jpeg'. $ exif -l pia02471.jpg.modified.jpeg EXIF tags in 'pia02471.jpg.modified.jpeg': 0 1 EXIF GPS Interop 0x0000 GPS Tag Version - - - - - 0x0001 Interoperability Index - - - - - ...... Actually setting the values of any tags is not so easy, Colour Space for instance: $ exif --ifd=0 --tag=0xa001 --set-value='sRGB' pia02471.jpg.modified.jpeg Numeric value expected At a guess sRGB has some numerical equivalent. That is as far as it goes for this one. Giving it an OK.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
Mageia 7, x86_64 Before update: $ exif poc.jpeg -x <exif> Segmentation fault (core dumped) After updating exif the PoC produced XML code without crashing. $ exif PIA21923_CassiniVIMSTitan_MAIN.jpg EXIF tags in 'PIA21923_CassiniVIMSTitan_MAIN.jpg' ('Motorola' byte order): --------------------+---------------------------------------------------------- Tag |Value --------------------+---------------------------------------------------------- Orientation |Top-left X-Resolution |300.0000 Y-Resolution |300.0000 Resolution Unit |Inch Software |Adobe Photoshop CC 2015.5 (Macintosh) Date and Time |2018:07:09 16:06:26 Compression |JPEG compression X-Resolution |72 Y-Resolution |72 Resolution Unit |Inch Colour Space |sRGB Pixel X Dimension |5448 Pixel Y Dimension |3686 Exif Version |Exif Version 2.1 FlashPixVersion |FlashPix Version 1.0 --------------------+---------------------------------------------------------- EXIF data contains a thumbnail (5037 bytes). $ exif -i PIA21923_CassiniVIMSTitan_MAIN.jpg EXIF tags in 'PIA21923_CassiniVIMSTitan_MAIN.jpg' ('Motorola' byte order): ------+------------------------------------------------------------------------ Tag |Value ------+------------------------------------------------------------------------ 0x0112|Top-left 0x011a|300.0000 ........... Extracted thumbnail. $ exif -e -o minititan PIA21923_CassiniVIMSTitan_MAIN.jpg Wrote file 'minititan'. The image displays OK. $ file PIA21923_CassiniVIMSTitan_MAIN.jpg minititan PIA21923_CassiniVIMSTitan_MAIN.jpg: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC 2015.5 (Macintosh), datetime=2018:07:09 16:06:26], baseline, precision 8, 5448x3686, components 3 minititan: JPEG image data, baseline, precision 8, 160x108, components 3 $ exif PIA06227_Titan.jpg Corrupt data The data provided does not follow the specification. ExifLoader: The data supplied does not seem to contain EXIF data. $ cp PIA06227_Titan.jpg pia06227.jpg $ exif -c pia06227.jpg Wrote file 'pia06227.jpg.modified.jpeg' $ exif -l pia06227.jpg.modified.jpeg EXIF tags in 'pia06227.jpg.modified.jpeg': 0 1 EXIF GPS Interop 0x0000 GPS Tag Version - - - - - 0x0001 Interoperability Index - - - - - 0x0002 Interoperability Version - - - - - 0x0003 East or West Longitude - - - - - .................. This will do for mga7.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0252.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED