Hello security team (and sorry for being late, I was away and forgot to mark me on vacation on db.debian.org),
Stefan Fritsch wrote: > Package: libexif > Severity: grave > Tags: security > Justification: user security hole > > A vulnerability has been found in libexif: > "Integer overflow in the exif_data_load_data_entry function in > exif-data.c in libexif before 0.6.14 allows user-assisted remote > attackers to cause a denial of service (crash) or possibly execute > arbitrary code via crafted EXIF data, involving the (1) doff or (2) s > variable." > > See > http://sourceforge.net/tracker/index.php?func=detail&aid=1716196&group_id=12272&atid=112272 > > Please mention the CVE id in the changelog. I prepared 0.6.13-5.etch.1 for upload, please find the interdiff attached to this email (stripped of a copy of config.log that sneaked in 0.6.13-5 diff). I also backported other security related fixes that went in between 0.6.14 and 0.6.15 (but have not been announced). libexif (0.6.13-5.etch.1) stable-security; urgency=high * Backported security fix from 0.6.14 and 0.6.15 * Integer overflow in the exif_data_load_data_entry (CVE-2007-2645) (closes: #424775) * Don't dereference NULL (CID 4) (no assigned CVE) * Don't parse Makernote when there is not enough data for (makernote-irelevant) IFD1 (no assigned CVE) -- Frederic Peters <[EMAIL PROTECTED]> Thu, 24 May 2007 13:01:20 +0200 Is this okay for upload ? Regards, Frederic
diff -u libexif-0.6.13/debian/changelog libexif-0.6.13/debian/changelog
--- libexif-0.6.13/debian/changelog
+++ libexif-0.6.13/debian/changelog
@@ -1,3 +1,14 @@
+libexif (0.6.13-5.etch.1) stable-security; urgency=high
+
+ * Backported security fix from 0.6.14 and 0.6.15
+ * Integer overflow in the exif_data_load_data_entry (CVE-2007-2645)
+ (closes: #424775)
+ * Don't dereference NULL (CID 4) (no assigned CVE)
+ * Don't parse Makernote when there is not enough data for
+ (makernote-irelevant) IFD1 (no assigned CVE)
+
+ -- Frederic Peters <[EMAIL PROTECTED]> Thu, 24 May 2007 13:01:20 +0200
+
libexif (0.6.13-5) unstable; urgency=low
* libexif/exif-entry.c: added extra check against value read for color
only in patch2:
unchanged:
--- libexif-0.6.13.orig/libexif/exif-data.c
+++ libexif-0.6.13/libexif/exif-data.c
@@ -183,6 +183,8 @@
doff = offset + 8;
/* Sanity check */
+ if ((doff + s < doff) || (doff + s < s))
+ return;
if (size < doff + s)
return;
@@ -194,8 +196,13 @@
/* If this is the MakerNote, remember the offset */
if (entry->tag == EXIF_TAG_MAKER_NOTE) {
- if (entry->size > 6) exif_log (data->priv->log,
- EXIF_LOG_CODE_DEBUG, "ExifData",
+ if (!entry->data) {
+ exif_log (data->priv->log,
+ EXIF_LOG_CODE_DEBUG, "ExifData",
+ "MakerNote found with NULL data");
+ }
+ else if (entry->size > 6)
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG,
"MakerNote found (%02x %02x %02x %02x "
"%02x %02x %02x...).",
entry->data[0], entry->data[1], entry->data[2],
@@ -828,11 +835,10 @@
/* Sanity check. */
if (offset > ds - 6) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
- "ExifData", "Bogus offset.");
- return;
+ "ExifData", "Bogus offset of IFD1.");
+ } else {
+ exif_data_load_data_content (data, EXIF_IFD_1, d + 6, ds - 6, offset, 0);
}
-
- exif_data_load_data_content (data, EXIF_IFD_1, d + 6, ds - 6, offset, 0);
}
/*
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.0 Source: libexif Version: 0.6.13-5.etch.1 Binary: libexif-dev, libexif12 Maintainer: Frederic Peters <[EMAIL PROTECTED]> Architecture: any Standards-Version: 3.6.2 Build-Depends: debhelper (>> 3.0.0), doxygen, graphviz Files: e5ad93c170bfb4fed6dc3e1c7a7948cb 727418 libexif_0.6.13.orig.tar.gz 3f6e1bc23a5b0f3b1b139d1c2db0a1a6 4560 libexif_0.6.13-5.etch.1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGVXYKoR3LsWeD7V4RAmNKAJ94k84OGFVZrNWpQiqnhz1iMhD4VgCffWrx EA7cyErm63mY343qjBOscRs= =1Cll -----END PGP SIGNATURE-----
libexif_0.6.13-5.etch.1.diff.gz
Description: application/gunzip
pgpiXEPLiiO1S.pgp
Description: PGP signature
