Mageia 2020-0238: libexif security update

    Date 27 May 2020
    241
    Posted By LinuxSecurity Advisories
    The updated packages fix a security vulnerability: In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed.
    MGASA-2020-0238 - Updated libexif packages fix security vulnerability
    
    Publication date: 27 May 2020
    URL: https://advisories.mageia.org/MGASA-2020-0238.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2020-0093,
         CVE-2020-13112,
         CVE-2020-13113,
         CVE-2020-13114
    
    The updated packages fix a security vulnerability:
    
    In exif_data_save_data_entry of exif-data.c, there is a possible out of
    bounds read due to a missing bounds check. This could lead to local
    information disclosure with no additional execution privileges needed.
    User interaction is needed for exploitation. (CVE-2020-0093)
    
    exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero
    error (CVE-2020-12767).
    
    An issue was discovered in libexif before 0.6.22. Several buffer over-reads in
    EXIF MakerNote handling could lead to information disclosure and crashes
    (CVE-2020-13112).
    
    An issue was discovered in libexif before 0.6.22. Use of uninitialized memory
    in EXIF Makernote handling could lead to crashes and potential use-after-free
    conditions (CVE-2020-13113).
    
    An issue was discovered in libexif before 0.6.22. An unrestricted size in
    handling Canon EXIF MakerNote data could lead to consumption of large amounts
    of compute time for decoding EXIF data (CVE-2020-13114).
    
    The libexif package has been updated to version 0.6.22, fixing these issues
    and other bugs.
    
    Also, the exif package has been updated to version 0.6.22.  See the upstream
    NEWS files for details.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=26650
    - https://www.debian.org/lts/security/2020/dla-2214
    - https://github.com/libexif/libexif/blob/libexif-0_6_22-release/NEWS
    - https://github.com/libexif/exif/blob/exif-0_6_22-release/NEWS
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
    
    SRPMS:
    - 7/core/libexif-0.6.22-1.mga7
    - 7/core/exif-0.6.22-1.mga7
    

    LinuxSecurity Poll

    Are you considering making the switch to Purism's new Librem 14 Linux laptop to improve your security and privacy online?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/31-are-you-considering-making-the-switch-to-purism-s-new-librem-14-linux-laptop-to-improve-your-security-and-privacy-online?task=poll.vote&format=json
    31
    radio
    [{"id":"109","title":"Yes - the hardware kill switches and default ad blocking\/tracking protection sold me on it.","votes":"3","type":"x","order":"1","pct":37.5,"resources":[]},{"id":"110","title":"Not sure yet - I need to do more research.","votes":"4","type":"x","order":"2","pct":50,"resources":[]},{"id":"111","title":"No - I'm satisfied with my current laptop and have no security\/privacy concerns.","votes":"1","type":"x","order":"3","pct":12.5,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.