Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2059
libexif security update
15 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libexif
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0198 CVE-2020-0182
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2249
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libexif check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : libexif
Version : 0.6.21-2+deb8u4
CVE ID : CVE-2020-0182 CVE-2020-0198
Debian Bug : 962345
The following CVE(s) were reported against src:libexif.
CVE-2020-0182
In exif_entry_get_value of exif-entry.c, there is a possible
out of bounds read due to a missing bounds check. This could
lead to local information disclosure with no additional execution
privileges needed. User interaction is not needed for
exploitation.
CVE-2020-0198
In exif_data_load_data_content of exif-data.c, there is a
possible UBSAN abort due to an integer overflow. This could lead
to remote denial of service with no additional execution
privileges needed. User interaction is needed for exploitation.
For Debian 8 "Jessie", these problems have been fixed in version
0.6.21-2+deb8u4.
We recommend that you upgrade your libexif packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7k+pgACgkQgj6WdgbD
S5ZGmhAAyqJ8nCcR0CqNGRSnSdytQ9BhK/YOv1tmubkaLwBMaQtNOfxYby39b4CR
gvDcXNc7wpn7gKkMfPsFlzYHINiFJz5wBKMM0gwzgh0kX8UHOvcqMwWTRLgMb8K0
CqKF/zx2gZfl4AhvfmFvwzTXdXTEMYM1Dn9A/PUvyFa1Juz/Dga5toeD7+/vESa/
ZBDQKgMd6QG2e5vMNPcH7atVzd97qzbGwcQgh6uz+WSUNzQCte8x8tYgn6tAaCed
aB19lk12ZlogFqfvMtHFNzKLK279AbHCbHsyntzGXMNTuvdC1uMDewWm8zzwbxce
cPoorJI73STZkEYsKlsfx6A+Va/n6NT+kma3g6QW20HAYHrhM5mhhkg3LmRBaYpN
shkd5PsLbyc4lPyoJU7EHBqhqLaP+gxbuFbsRpFIBkkucSLIdusnzKZzx5bolpCT
CMzINV8yBs+krW+zWyMKQPxFAR1ogKw2MQ1jgkei7L74T3u1Dwx+zlG0x1Yva0RY
YWT3OCeIGwHRLIaBbmJlbVLNw4qtRF+p6DQCtcfpCwIgZI9Y2jjlYSbTSCAD4afa
CVGzmIJNUacqMoHvWXoPD/0Q/VztteY6Evssv9urcrBSZ7QDItauNkNuYQi9zXGw
85XTZaFByLhPSkwddPUbCpHVYON/PMXelsv/+83O5+L9m6e4JLQ=
=Cx04
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXubBquNLKJtyKPYoAQgqyA/6ApK4pUX6P2BWj8TKUL08PS8UvjG2SD7H
RiBJ3tKIRHp3N3BMkeACSXl6MO6gWuuekMPIOqYJdRUhzGlJpR081ANAV+rwq8gq
fM9ayf6JnBXGvpAvy+EsoSBeoE/GSYH/pV5qUueIw90SB/kQetFrNweOnu5rKrCi
KuEYU4O6hZ73IXjAxb+FmN5HRWBzVsgKo3eNRB2ln66UiOJ+icfpdoimsSj50jR5
doeXCMJtu4AByVO/D9SFYvVVF+O+HhVOSWvaJNISzN11v5+QNdDuGvWKKrDHsPKv
E5Jrfx3SEYw3Gg5rlsETo+QWHuRxnHFYk6md+hYvv6xAX42WVTI/CIb2LYU/h20w
QnzVvlH+IkrZ64bLCv4PLzGEhnZXUjdEHfEV//ISwEtG0N/sIYDS5HhQpV4NJx4N
lfEt6HEc1vvTDdpajB+LmY3UgiFLiuKUld4rjFZ+4WZnrRzeJTkutRGQAQnbv2Gw
ExcLiRqj9BJ3KG42gzAinHLxJ5UhyW8Jy2v9BNpMRYcmETvTaJDzbcwnaBO6U353
JeQZ6EwEQE/CCfbTCgZLWQ+irxtKbTeIabsq0JxJq1UEEvcuxjPltjT6lemAkZE0
7gg+MY8iUYJtPbbb4Q9MHzO6zwryS3wkiznUhwQ+8eAuHwLJnqhjY0vaZ+JAGAWk
mVYHYV0a4+0=
=yd2O
-----END PGP SIGNATURE-----