libexif: CVE-2017-7544: Out-of-bounds heap read in exif_data_save_data_entry function

Debian Bug report logs - #876466
libexif: CVE-2017-7544: Out-of-bounds heap read in exif_data_save_data_entry function

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libexif: CVE-2017-7544: Out-of-bounds heap read in exif_data_save_data_entry function

Date: Fri, 22 Sep 2017 17:05:05 +0200

Source: libexif
Version: 0.6.21-2
Severity: important
Tags: security patch upstream
Forwarded: https://sourceforge.net/p/libexif/bugs/130/

Hi,

the following vulnerability was published for libexif.

CVE-2017-7544[0]:
| libexif through 0.6.21 is vulnerable to out-of-bounds heap read
| vulnerability in exif_data_save_data_entry function in
| libexif/exif-data.c caused by improper length computation of the
| allocated data of an ExifMnote entry which can cause denial-of-service
| or possibly information disclosure.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7544
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
[1] https://sourceforge.net/p/libexif/bugs/130/

The attched report in the upstream bug is password protected, but
there is a produced patch by Marcus Meissner in the upstream bug.

Regards,
Salvatore

Message #10 received at 876466-close@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: 876466-close@bugs.debian.org

Subject: Bug#876466: fixed in libexif 0.6.21-2.1

Date: Sun, 08 Oct 2017 03:50:58 +0000

Source: libexif
Source-Version: 0.6.21-2.1

We believe that the bug you reported is fixed in the latest version of
libexif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated libexif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Oct 2017 22:42:00 +1100
Source: libexif
Binary: libexif-dev libexif12
Architecture: source
Version: 0.6.21-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Description:
 libexif-dev - library to parse EXIF files (development files)
 libexif12  - library to parse EXIF files
Closes: 786562 873022 876466
Changes:
 libexif (0.6.21-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debhelper update:
     - Update package compatibility to level 10.
   * debian/control:
     - Bump debhelper build-dep to >= 10~.
     - Remove dh-autoreconf from the Build-Depends list, as debhelper
       enables the 'autoreconf' sequence by default.
     - Bump Standards-Version from 3.9.5 to 4.1.1.
     - Use the https protocol in the Vcs-Browser field.
     - Update the URI referenced by the Vcs-Git field.
     - Mark libexif-dev Multi-Arch: same (Closes: #786562).
   * debian/copyright:
     - Update the format specification URI.
     - Remove references to libjpeg/* and configure.in (lintian).
     - Merge paragraphs referring to the same source file (lintian).
   * debian/patches:
     - Add upstream patches to fix CVE-2016-6328 and CVE-2017-7544
       (thanks to Marcus Meissner) (Closes: #873022, #876466).
   * debian/rules:
     - Add 'hardening=+all' to DEB_BUILD_MAINT_OPTIONS.
     - Exclude doxygen md5 files from installation (lintian).
     - Remove '--with autoreconf' (now handled by debhelper level 10).
     - Fix grammatical errors in a comment.
Checksums-Sha1:
 bcdd4112b17740fd1d6c7e43eec40b253faecbdf 2076 libexif_0.6.21-2.1.dsc
 03f07c240eccd3a88ea05b77a28b239c1c02efe8 9696 libexif_0.6.21-2.1.debian.tar.xz
 fb91621f63b04be64703a513e451985dcf1865fe 5275 libexif_0.6.21-2.1_source.buildinfo
Checksums-Sha256:
 7cf7e50a2bb33a7964cca2f6c18fcfd53e123b6e5c42fd05caa6a68ed97d523e 2076 libexif_0.6.21-2.1.dsc
 d9aa6ebdc988f04d02984370ca3728aa3ae53c311ec67123e1dc01d589f0096c 9696 libexif_0.6.21-2.1.debian.tar.xz
 56c989cbf3d6a7d2459ced9e8b472f1d2bf0317433a733f479b562f6883906f5 5275 libexif_0.6.21-2.1_source.buildinfo
Files:
 066b3237f1ba67ed4897d6937f16e67a 2076 libs optional libexif_0.6.21-2.1.dsc
 697875458879e1c53b7426e526b5a687 9696 libs optional libexif_0.6.21-2.1.debian.tar.xz
 65774aa7eb9b523eab2d16bd7fdc71d0 5275 libs optional libexif_0.6.21-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAlnZm20ACgkQweDZLphv
fH6CrQ//YaipPWNjh04e7Bh6B4fQNfph/6uVvnzM6P6cpmprxJzLEk9SppOOmE65
6T5ypDdKLyBwwAsq1tnfkfZb9Ej07Xm77FwAyR+1YYsi3Ta5f52htLLhL8XROqNG
ac2Qt2HzJ202jCxpNwg2SIKyZlssRBX5m4V8MfgZmeZ2uQylkVrYklSKFaYmpIMC
rVJm8cnfjPz37B6ZPOLWSPH2EGhvrSVADTJf3eq4VM0BleSaxvLmQbFA7rDUzYv2
+jPhlLxWpQ0mXPypCq+4D1yzr3ibPvYyEV/47ldFXFws+huaJItxzSjBHb7jTdtk
fCroSiI7oFgByoMDYT1Q+i6cuAn+tOiKp9PRk7DrAW8NHEY81mSw6vWlfyZgktPV
umNUtGKzV3WaiFGhXAblQZ+MZdn8pC0mb6t9guDd+BxJ/npQnK6/cKf5IWPGb2NZ
jCfkXB9MAPG/Grx+2DNWGFmNVy6PgS1bALxbWCsPbIjUel6ZLnq61Rzm6YLMg7a6
6+QZNENNFqqVV+4Z/Bdx+hhphwfeIqE9gH+6xhH64mQUPNdd4uPkp3O2pUOuoeu3
K5MlodX9rQ89e2wNCqJV4gKon3Gmw150II97QJUCGxY//lalW+WEOggV8QVvdUAj
nh4wdXWGlSbNaQjL+nwQ7i9piimPV+VJlgWkieiVRjTeN8o4BK4=
=Do5Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.