Security Information / 2012 / Security Information -- DSA-2559-1 libexif

Debian Security Advisory

DSA-2559-1 libexif -- several vulnerabilities

Date Reported:

11 Oct 2012

Affected Packages:

libexif

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 681454.
In Mitre's CVE dictionary: CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841.

More information:

Several vulnerabilities were found in libexif, a library used to parse EXIF meta-data on camera files.

• CVE-2012-2812:

  A heap-based out-of-bounds array read in the exif_entry_get_value function allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

• CVE-2012-2813:

  A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8 function allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

• CVE-2012-2814:

  A buffer overflow in the exif_entry_format_value function allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags.

• CVE-2012-2836:

  A heap-based out-of-bounds array read in the exif_data_load_data function allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags.

• CVE-2012-2837:

  A divide-by-zero error in the mnote_olympus_entry_get_value function while formatting EXIF maker note tags allows remote attackers to cause a denial of service via an image with crafted EXIF tags.

• CVE-2012-2840:

  An off-by-one error in the exif_convert_utf16_to_utf8 function allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags.

• CVE-2012-2841:

  An integer underflow in the exif_entry_get_value function can cause a heap overflow and potentially arbitrary code execution while formatting an EXIF tag, if the function is called with a buffer size parameter equal to zero or one.

For the stable distribution (squeeze), these problems have been fixed in version 0.6.19-1+squeeze1.

For the testing distribution (wheezy), these problems have been fixed in version 0.6.20-3.

For the unstable distribution (sid), these problems have been fixed in version 0.6.20-3.

We recommend that you upgrade your libexif packages.