SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

[-- Attachment #1: Type: text/plain, Size: 408 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

IIRC libexif was previously Gerrit's.  Did someone else take this over
already?  I have it already in Ports.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGgexhpiWmPGlmQSMRCPqUAKDP8xj0VS15rbMDufvQBfHIvJYCDACgtfPt
kgM/in8GwIPLJp2Zajyok7c=
=RqVY
-----END PGP SIGNATURE-----

[-- Attachment #2: [ GLSA 200706-09 ] libexif: Buffer overflow.eml --]
[-- Type: message/rfc822, Size: 6442 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 2768 bytes --]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200706-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: libexif: Buffer overflow
      Date: June 26, 2007
      Bugs: #181922
        ID: 200706-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

libexif does not properly handle image EXIF information, possibly
allowing for the execution of arbitrary code.

Background
==========

libexif is a library for parsing, editing and saving EXIF metadata from
images.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  media-libs/libexif      < 0.6.16                        >= 0.6.16

Description
===========

iDefense Labs have discovered that the exif_data_load_data_entry()
function in libexif/exif-data.c improperly handles integer data while
working with an image with many EXIF components, allowing an integer
overflow possibly leading to a heap-based buffer overflow.

Impact
======

An attacker could entice a user of an application making use of a
vulnerable version of libexif to load a specially crafted image file,
possibly resulting in a crash of the application or the execution of
arbitrary code with the rights of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libexif users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/libexif-0.6.16"

References
==========

  [ 1 ] CVE-2006-4168
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4168

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200706-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

[-- Attachment #2.1.2: Type: application/pgp-signature, Size: 481 bytes --]

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Corinna Vinschen]

On Jun 26 23:49, Yaakov (Cygwin Ports) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> IIRC libexif was previously Gerrit's.  Did someone else take this over
> already?  I have it already in Ports.

Nope, the package is still in limbo.  It would be great if you take over.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Nope, the package is still in limbo.  It would be great if you take over.

Done.


Yaakov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGpunLpiWmPGlmQSMRCIcUAJ4i01tH7pBjJHixgX56y5557Fgc8ACcC0Lj
WX3Ja1TOzHybFIxVrzMQv3Q=
=Ut36
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Corinna Vinschen]

On Jul 25 01:12, Yaakov (Cygwin Ports) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Corinna Vinschen wrote:
> > Nope, the package is still in limbo.  It would be great if you take over.
> 
> Done.

Thank you, but... where are the packages?  I don't see the updated
packages in release/exif.


Corinna


P.S.:  Igor?  It's gold star time...


-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Corinna Vinschen]

On Jul 25 08:28, Corinna Vinschen wrote:
> On Jul 25 01:12, Yaakov (Cygwin Ports) wrote:
> > Corinna Vinschen wrote:
> > > Nope, the package is still in limbo.  It would be great if you take over.
> > 
> > Done.
> 
> Thank you, but... where are the packages?  I don't see the updated
> packages in release/exif.

Never mind, I just found them.  The directory layout is a bit weird
now:

   - exif
     - libexif
       - libexif12
       - libexif-devel
     - libexif10

Why are libexif12 and libexif-devel not in the same directory level
as libexif10?  Oh, and, do you also take over maintainance of libexif10
or is that still an orphaned package?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Thank you, but... where are the packages?  I don't see the updated
> packages in release/exif.

Logged into sourceware, I see them in release/exif/libexif/.  I haven't
checked the mirrors.


Yaakov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGpu/ppiWmPGlmQSMRCPT+AKCjqUj9lghDi9qC4rViHfUS4agmhwCfe1Fw
y9g1WphZREHZ2/k6lM4avlk=
=jgkO
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Never mind, I just found them.  The directory layout is a bit weird
> now:
> 
>    - exif
>      - libexif
>        - libexif12
>        - libexif-devel
>      - libexif10

Yeah, I know, that's how Gerrit set them up; should I move libexif
immediately under release?

> Why are libexif12 and libexif-devel not in the same directory level
> as libexif10?  Oh, and, do you also take over maintainance of libexif10
> or is that still an orphaned package?

libexif10 should be moved to _obsolete, and being that it's also
affected by the buffer overflow, should be dropped like a hot potato.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGpvC/piWmPGlmQSMRCF0OAJ9AK0ElZi8EYh+y8z5u+tkFN6wW1gCfUWGL
EXeAtYuZQbojxCNwY/7Z7sg=
=u+i+
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Corinna Vinschen]

On Jul 25 01:42, Yaakov (Cygwin Ports) wrote:
> Corinna Vinschen wrote:
> > Never mind, I just found them.  The directory layout is a bit weird
> > now:
> > 
> >    - exif
> >      - libexif
> >        - libexif12
> >        - libexif-devel
> >      - libexif10
> 
> Yeah, I know, that's how Gerrit set them up; should I move libexif
> immediately under release?

No worries, it's your call.

> > Why are libexif12 and libexif-devel not in the same directory level
> > as libexif10?  Oh, and, do you also take over maintainance of libexif10
> > or is that still an orphaned package?
> 
> libexif10 should be moved to _obsolete, and being that it's also
> affected by the buffer overflow, should be dropped like a hot potato.

I moved libexif10 to _obsolete.

Another question:  The exif package was Gerrit's package, too, and
it's still on version 0.6.9.  Any chance that you could take this one
over as well?


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> I moved libexif10 to _obsolete.

Thank you.

> Another question:  The exif package was Gerrit's package, too, and
> it's still on version 0.6.9.  Any chance that you could take this one
> over as well?

I'll take a look at it tomorrow.


Yaakov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGpvfVpiWmPGlmQSMRCHWrAKDHIPqfjeoxvoLMoKnb0AafiobjogCfcV6R
YpR0LIttOGt6fTVtjwildok=
=6+kx
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Igor Peshansky]

On Wed, 25 Jul 2007, Corinna Vinschen wrote:

> On Jul 25 01:12, Yaakov (Cygwin Ports) wrote:
>
> > Corinna Vinschen wrote:
> > > Nope, the package is still in limbo.  It would be great if you take over.
> >
> > Done.
>
> Thank you, but... where are the packages?  I don't see the updated
> packages in release/exif.
>
> Corinna
>
> P.S.:  Igor?  It's gold star time...

Indeed: <http://cygwin.com/goldstars/#YS>.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yaakov (Cygwin Ports) wrote:
> Corinna Vinschen wrote:
>> Another question:  The exif package was Gerrit's package, too, and
>> it's still on version 0.6.9.  Any chance that you could take this one
>> over as well?
> 
> I'll take a look at it tomorrow.

I could bump this, but exif depends on libpopt0, which hasn't been
updated within the distro in over five years.

cgf, as the popt maintainer on record, would you mind bumping popt to
the current version?


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGp/jRpiWmPGlmQSMRCH+5AJ4vWkbek0UX25f+3fmEEY9KqEc0HACeOYqK
XwGcxjh7s1exGjwjKeEMIRk=
=eJan
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Corinna Vinschen]

On Jul 25 20:28, Yaakov (Cygwin Ports) wrote:
> > Corinna Vinschen wrote:
> >> Another question:  The exif package was Gerrit's package, too, and
> >> it's still on version 0.6.9.  Any chance that you could take this one
> >> over as well?
> 
> I could bump this, but exif depends on libpopt0, which hasn't been
> updated within the distro in over five years.

Does that matter?  Would the latest libpopt bump the DLL version number?

> cgf, as the popt maintainer on record, would you mind bumping popt to
> the current version?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Christopher Faylor]

On Thu, Jul 26, 2007 at 09:17:58AM +0200, Corinna Vinschen wrote:
>On Jul 25 20:28, Yaakov (Cygwin Ports) wrote:
>> > Corinna Vinschen wrote:
>> >> Another question:  The exif package was Gerrit's package, too, and
>> >> it's still on version 0.6.9.  Any chance that you could take this one
>> >> over as well?
>> 
>> I could bump this, but exif depends on libpopt0, which hasn't been
>> updated within the distro in over five years.
>
>Does that matter?  Would the latest libpopt bump the DLL version number?
>
>> cgf, as the popt maintainer on record, would you mind bumping popt to
>> the current version?

It doesn't look that way.

FWIW, libpopt0 was, the last time I checked, linked to rpm and rpm had
become particularly hard to port to cygwin, also the last time I
checked.

cgf

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Christopher Faylor wrote:
> FWIW, libpopt0 was, the last time I checked, linked to rpm and rpm had
> become particularly hard to port to cygwin, also the last time I
> checked.

I'm not sure what you mean by "linked" to rpm.  While I'm aware that
popt was originally developed for rpm, it is a separate package used by
many other projects; and while the library (supposedly) hasn't had any
API breakage, surely the functionality has improved over 5+ years.

IOW, upgrading popt should have nothing to do with Cygwin's version of
rpm, although understandably you would want to test that first.


Yaakov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGqUL+piWmPGlmQSMRCPbfAKDIV5NeT9LF0mvWpRy1RbBmlETGugCfXXlK
fWGHunxNee4p8bWa/al4XJc=
=6qnk
-----END PGP SIGNATURE-----

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

[Charles Wilson]

Yaakov (Cygwin Ports) wrote:
>> I'm not sure what you mean by "linked" to rpm.  While I'm aware that
> popt was originally developed for rpm, it is a separate package used by
> many other projects; and while the library (supposedly) hasn't had any
> API breakage, surely the functionality has improved over 5+ years.
> 
> IOW, upgrading popt should have nothing to do with Cygwin's version of
> rpm, although understandably you would want to test that first.

Well, popt is an odd duck.  In the days of yore, the version distributed 
as an integrated part of the rpm source code was more up-to-date than 
any actual "versioned" release of the separate popt src tarballs.  So 
there was always the question of whether to pull an outdated but 
official release of popt -src, or to extract it from the rpm tarball.

Then, rpm development kinda died off there for a while (and popt, with 
it).  Now, rpm has been forked: there's the Jeff Johnson version 
(supported by OpenPkg/Mandriva/PLD, among others) at rpm5.org that's 
been under active development ever since Jeff left Red Hat in 2005.

Then, there's the Red Hat/Fedora version at rpm.org, supported also by 
SuSe/Novell, which finally started getting some renewed development from 
those distros last December -- spurred on, no doubt, by Jeff's 
"official" announcement of his fork and launch of his rpm5.org site.

In each case, this fork also represents a fork of popt.

So, which one should be used? Obviously, that's up to the popt 
maintainer.  If it were me, I'd have taken a wait-and-see attitude, 
hoping the forks would settle down (perhaps "unforking" the internal 
support libraries such as popt.)

--
Chuck