Package name
libexif
Date
2012-07-13
Advisory ID
MDVSA-2012:106
Affected versions
MES5 i586 , 2011 i586 , MES5 x86_64 , 2011 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in libexif:

A heap-based out-of-bounds array read in the exif_entry_get_value
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly obtain
potentially sensitive information from process memory via an image
with crafted EXIF tags (CVE-2012-2812).

A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly obtain
potentially sensitive information from process memory via an image
with crafted EXIF tags (CVE-2012-2813).

A buffer overflow in the exif_entry_format_value function in
libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via an
image with crafted EXIF tags (CVE-2012-2814).

A heap-based out-of-bounds array read in the exif_data_load_data
function in libexif 0.6.20 and earlier allows remote attackers to
cause a denial of service or possibly obtain potentially sensitive
information from process memory via an image with crafted EXIF tags
(CVE-2012-2836).

A divide-by-zero error in the mnote_olympus_entry_get_value function
while formatting EXIF maker note tags in libexif 0.6.20 and earlier
allows remote attackers to cause a denial of service via an image
with crafted EXIF tags (CVE-2012-2837).

An off-by-one error in the exif_convert_utf16_to_utf8 function in
libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote
attackers to cause a denial of service or possibly execute arbitrary
code via an image with crafted EXIF tags (CVE-2012-2840).

An integer underflow in the exif_entry_get_value function can cause a
heap overflow and potentially arbitrary code execution while formatting
an EXIF tag, if the function is called with a buffer size parameter
equal to zero or one (CVE-2012-2841).

The updated packages have been upgraded to the 0.6.21 version which
is not vulnerable to these issues.

Updated packages

MES5 i586

 33855decda0e70d5a5603e5c8058b302  mes5/i586/libexif12-0.6.21-0.1mdvmes5.2.i586.rpm
 25e42d52dd9988a6cbb50b1960917380  mes5/i586/libexif12-common-0.6.21-0.1mdvmes5.2.i586.rpm
 f94b0cc22c53c281a7eb602aea24e1ed  mes5/i586/libexif-devel-0.6.21-0.1mdvmes5.2.i586.rpm 
 56d11b394a217376a92bac526b63b031  mes5/SRPMS/libexif-0.6.21-0.1mdvmes5.2.src.rpm

2011 i586

 940eff19c8443292d21d79e70c8087cc  2011/i586/libexif12-0.6.21-0.1-mdv2011.0.i586.rpm
 667a614e2bbc8bc9d3f9d48f55c42218  2011/i586/libexif12-common-0.6.21-0.1-mdv2011.0.i586.rpm
 87ce2bfa124d4afd4bbc0edf7248f8b8  2011/i586/libexif-devel-0.6.21-0.1-mdv2011.0.i586.rpm 
 a3c29364ee682113d03bdd2f66c55183  2011/SRPMS/libexif-0.6.21-0.1.src.rpm

MES5 x86_64

 abc6ec8a1e31a47b60dd7effc392d9f1  mes5/x86_64/lib64exif12-0.6.21-0.1mdvmes5.2.x86_64.rpm
 79029e3c340e77c282a74c3c6b4799c5  mes5/x86_64/lib64exif-devel-0.6.21-0.1mdvmes5.2.x86_64.rpm
 379071ee301f82c094fb11568d2d1fd1  mes5/x86_64/libexif12-common-0.6.21-0.1mdvmes5.2.x86_64.rpm 
 56d11b394a217376a92bac526b63b031  mes5/SRPMS/libexif-0.6.21-0.1mdvmes5.2.src.rpm

2011 x86_64

 cb266db3562c08fd8e8a13971026b353  2011/x86_64/lib64exif12-0.6.21-0.1-mdv2011.0.x86_64.rpm
 3f19dcfae4d229db5d6e481486f66f74  2011/x86_64/lib64exif-devel-0.6.21-0.1-mdv2011.0.x86_64.rpm
 6a43f86c562d161fccbf0c0cb2d619d8  2011/x86_64/libexif12-common-0.6.21-0.1-mdv2011.0.x86_64.rpm 
 a3c29364ee682113d03bdd2f66c55183  2011/SRPMS/libexif-0.6.21-0.1.src.rpm

References