Date: 16 July 2012
References: ESB-2012.0863 ESB-2012.1000
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0102
A number of vulnerabilities have been identified in libexif
16 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libexif
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2845 CVE-2012-2841 CVE-2012-2840
CVE-2012-2837 CVE-2012-2836 CVE-2012-2814
CVE-2012-2813 CVE-2012-2812
Member content until: Wednesday, August 15 2012
OVERVIEW
A number of vulnerabilities have been identified in libexif prior to
version 0.6.21. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"CVE-2012-2812: A heap-based out-of-bounds array read in the
exif_entry_get_value function in libexif/exif-entry.c in libexif
0.6.20 and earlier allows remote attackers to cause a denial of service
or possibly obtain potentially sensitive information from process
memory via an image with crafted EXIF tags.
CVE-2012-2813: A heap-based out-of-bounds array read in the
exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif
0.6.20 and earlier allows remote attackers to cause a denial of service
or possibly obtain potentially sensitive information from process
memory via an image with crafted EXIF tags.
CVE-2012-2814: A buffer overflow in the exif_entry_format_value
function in libexif/exif-entry.c in libexif 0.6.20 allows remote
attackers to cause a denial of service or possibly execute arbitrary
code via an image with crafted EXIF tags.
CVE-2012-2836: A heap-based out-of-bounds array read in the
exif_data_load_data function in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly obtain
potentially sensitive information from process memory via an image
with crafted EXIF tags.
CVE-2012-2837: A divide-by-zero error in the
mnote_olympus_entry_get_value function while formatting EXIF maker note
tags in libexif 0.6.20 and earlier allows remote attackers to cause a
denial of service via an image with crafted EXIF tags.
CVE-2012-2840: An off-by-one error in the exif_convert_utf16_to_utf8
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly execute
arbitrary code via an image with crafted EXIF tags.
CVE-2012-2841: An integer underflow in the exif_entry_get_value
function can cause a heap overflow and potentially arbitrary code
execution while formatting an EXIF tag, if the function is called with
a buffer size parameter equal to zero or one.
CVE-2012-2845: An integer overflow in the function jpeg_data_load_data
in the exif program could cause a data read beyond the end of a buffer,
causing an application crash or leakage of potentially sensitive
information when parsing a crafted JPEG file." [1]
MITIGATION
The vendor recommends upgrading to the latest version of exif to
correct these issues. [1]
REFERENCES
[1] libexif project security advisory - July 12, 2012
http://sourceforge.net/mailarchive/message.php?msg_id=29534027
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUANqLu4yVqjM2NGpAQJQMQ/9F/WlUvLfpiX0M9Csez/EAsRIbPNVbm+X
jCp6NIJQ7qKMOfYyufj8wEs7gcJp7LiSSf6fLbaKWti5a1jHCXWnEzF0mQ0skiaS
IKzHBPC6F5S5kQYPdeUNCyaqD25+va3tBO/8AUddOzKC+qAlDfqoXvaUSnZQ53VP
N5zwq1y+bBvkUkGySGeTDXjHHmDs0IjOtGCkX6/nZ60FHmL3H6SrOQPtBuYR5H8C
Rmek7eeDSwMnbjPgkU0adpALWolCx0EpNQ2AhNuZcBN2IhvmLpZlevBPq9gBzyVa
uLSj1UnB6fpQct3s9w/Le9ve3ez1EmHa+Y/Goc5Pt+NqRgs+YqgSRlJY98hgaB3Y
EB2TqRO+uwSMa3CC6nPRtrhhdKJ39CR9nYRoTLMLZx9we6AIKpYIapBaJ1BDxAP4
3xIVAjaVK9Z7AImrEQhhfNDUq06ejhNqGrPwVDNCoxFkaP7U05Q+lpOMX9gYCpkn
/87RYKOMercGml7TvoD6rs1EJTtTHUiY4TEvRmJ+6L5MqRx1F05p6xMNKSCWk0uT
C9eGz/SBkzLEBKxXeG0q1VpijBy9u6Q42Hkk5a9o+3SddyfAbdw6glv3IvSB+++i
gf2UU7Fx3DJ+x8shKT8oTFrGIJDSeC8AhAbgPZlxoVFWxbncDQ/LnJp18HKAeAj+
Zr1wmhD8gqg=
=QAqF
-----END PGP SIGNATURE-----
|