Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow.

The remote Solaris system is missing necessary patches to address security updates :

  - The exif_entry_get_value function in exif-entry.c in the     EXIF Tag Parsing Library (aka libexif) before 0.6.21     allows remote attackers to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from process memory via crafted EXIF tags in     an image. (CVE-2012-2812)

  - The exif_convert_utf16_to_utf8 function in exif-entry.c     in the EXIF Tag Parsing Library (aka libexif) before     0.6.21 allows remote attackers to cause a denial of     service (out-of-bounds read) or possibly obtain     sensitive information from process memory via crafted     EXIF tags in an image. (CVE-2012-2813)

  - Buffer overflow in the exif_entry_format_value function     in exif-entry.c in the EXIF Tag Parsing Library (aka     libexif) 0.6.20 allows remote attackers to cause a     denial of service or possibly execute arbitrary code via     crafted EXIF tags in an image. (CVE-2012-2814)

  - The exif_data_load_data function in exif-data.c in the     EXIF Tag Parsing Library (aka libexif) before 0.6.21     allows remote attackers to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from process memory via crafted EXIF tags in     an image. (CVE-2012-2836)

  - The mnote_olympus_entry_get_value function in     olympus/mnote-olympus-entry.c in the EXIF Tag Parsing     Library (aka libexif) before 0.6.21 allows remote     attackers to cause a denial of service (divide-by-zero     error) via an image with crafted EXIF tags that are not     properly handled during the formatting of EXIF maker     note tags. (CVE-2012-2837)

  - Off-by-one error in the exif_convert_utf16_to_utf8     function in exif-entry.c in the EXIF Tag Parsing Library     (aka libexif) before 0.6.21 allows remote attackers to     cause a denial of service or possibly execute arbitrary     code via crafted EXIF tags in an image. (CVE-2012-2840)

  - Integer underflow in the exif_entry_get_value function     in exif-entry.c in the EXIF Tag Parsing Library (aka     libexif) 0.6.20 might allow remote attackers to execute     arbitrary code via vectors involving a crafted     buffer-size parameter during the formatting of an EXIF     tag, leading to a heap-based buffer overflow.
    (CVE-2012-2841)

  - Integer overflow in the jpeg_data_load_data function in     jpeg-data.c in libjpeg in exif 0.6.20 allows remote     attackers to cause a denial of service (buffer over-read     and application crash) or obtain potentially sensitive     information via a crafted JPEG file. (CVE-2012-2845)

Several security issues were found by the Google Security Team in libexif and fixed there.

The remote host is affected by the vulnerability described in GLSA-201401-10 (libexif, exif: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libexif and exif.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted image       file using exif or an application linked against libexif, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1255 advisory.

    [0.6.21-5]
    - Update to version 0.6.21 fixing many bugs and CVEs
    - Remove upstreamed patches
    - Resolves: #839915

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities has been discovered and corrected in libexif :

A heap-based out-of-bounds array read in the exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags (CVE-2012-2812).

A heap-based out-of-bounds array read in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags (CVE-2012-2813).

A buffer overflow in the exif_entry_format_value function in libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags (CVE-2012-2814).

A heap-based out-of-bounds array read in the exif_data_load_data function in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive information from process memory via an image with crafted EXIF tags (CVE-2012-2836).

A divide-by-zero error in the mnote_olympus_entry_get_value function while formatting EXIF maker note tags in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service via an image with crafted EXIF tags (CVE-2012-2837).

An off-by-one error in the exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly execute arbitrary code via an image with crafted EXIF tags (CVE-2012-2840).

An integer underflow in the exif_entry_get_value function can cause a heap overflow and potentially arbitrary code execution while formatting an EXIF tag, if the function is called with a buffer size parameter equal to zero or one (CVE-2012-2841).

The updated packages have been upgraded to the 0.6.21 version which is not vulnerable to these issues.

libexif project security advisory :

A number of remotely exploitable issues were discovered in libexif and exif, with effects ranging from information leakage to potential remote code execution.

A security bugfix release. A security bugfix release.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A security bugfix release.

A security bugfix release.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various overflows and other security related bugs in libexif were found by the Google Security team and fixed by the libexif developers.

Several vulnerabilities were found in libexif, a library used to parse EXIF meta-data on camera files.

  - CVE-2012-2812 :
    A heap-based out-of-bounds array read in the     exif_entry_get_value function allows remote attackers to     cause a denial of service or possibly obtain potentially     sensitive information from process memory via an image     with crafted EXIF tags.

  - CVE-2012-2813 :
    A heap-based out-of-bounds array read in the     exif_convert_utf16_to_utf8 function allows remote     attackers to cause a denial of service or possibly     obtain potentially sensitive information from process     memory via an image with crafted EXIF tags.

  - CVE-2012-2814 :
    A buffer overflow in the exif_entry_format_value     function allows remote attackers to cause a denial of     service or possibly execute arbitrary code via an image     with crafted EXIF tags.

  - CVE-2012-2836 :
    A heap-based out-of-bounds array read in the     exif_data_load_data function allows remote attackers to     cause a denial of service or possibly obtain potentially     sensitive information from process memory via an image     with crafted EXIF tags.

  - CVE-2012-2837 :
    A divide-by-zero error in the     mnote_olympus_entry_get_value function while formatting     EXIF maker note tags allows remote attackers to cause a     denial of service via an image with crafted EXIF tags.

  - CVE-2012-2840 :
    An off-by-one error in the exif_convert_utf16_to_utf8     function allows remote attackers to cause a denial of     service or possibly execute arbitrary code via an image     with crafted EXIF tags.

  - CVE-2012-2841 :
    An integer underflow in the exif_entry_get_value     function can cause a heap overflow and potentially     arbitrary code execution while formatting an EXIF tag,     if the function is called with a buffer size parameter     equal to zero or one.

The libexif packages provide an Exchangeable image file format (Exif) library. Exif allows metadata to be added to and read from certain types of image files.

Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841)

Users of libexif are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libexif must be restarted for the update to take effect.

Updated libexif packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The libexif packages provide an Exchangeable image file format (Exif) library. Exif allows metadata to be added to and read from certain types of image files.

Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841)

Red Hat would like to thank Dan Fandrich for reporting these issues.
Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2012-2812, CVE-2012-2813, and CVE-2012-2814; and Yunho Kim as the original reporter of CVE-2012-2836 and CVE-2012-2837.

Users of libexif are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libexif must be restarted for the update to take effect.

Mateusz Jurczyk discovered that libexif incorrectly parsed certain malformed EXIF tags. If a user or automated system were tricked into processing a specially crafted image file, an attacker could cause libexif to crash, leading to a denial of service, or possibly obtain sensitive information. (CVE-2012-2812, CVE-2012-2813)

Mateusz Jurczyk discovered that libexif incorrectly parsed certain malformed EXIF tags. If a user or automated system were tricked into processing a specially crafted image file, an attacker could cause libexif to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2012-2814)

Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF tags. If a user or automated system were tricked into processing a specially crafted image file, an attacker could cause libexif to crash, leading to a denial of service, or possibly obtain sensitive information. (CVE-2012-2836)

Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF tags. If a user or automated system were tricked into processing a specially crafted image file, an attacker could cause libexif to crash, leading to a denial of service. (CVE-2012-2837)

Dan Fandrich discovered that libexif incorrectly parsed certain malformed EXIF tags. If a user or automated system were tricked into processing a specially crafted image file, an attacker could cause libexif to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2012-2840, CVE-2012-2841).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libexif packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.

ID	Name	Product	Family	Severity
80668	Oracle Solaris Third-Party Patch Update : libexif (multiple_vulnerabilities_in_libexif1)	Nessus	Solaris Local Security Checks	high
74690	openSUSE Security Update : libexif (openSUSE-SU-2012:0914-1)	Nessus	SuSE Local Security Checks	high
72032	GLSA-201401-10 : libexif, exif: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69616	Amazon Linux AMI : libexif (ALAS-2012-126)	Nessus	Amazon Linux Local Security Checks	high
68615	Oracle Linux 5 / 6 : libexif (ELSA-2012-1255)	Nessus	Oracle Linux Local Security Checks	high
66049	Mandriva Linux Security Advisory : libexif (MDVSA-2013:035)	Nessus	Mandriva Local Security Checks	high
65560	FreeBSD : libexif -- multiple remote vulnerabilities (d881d254-70c6-11e2-862d-080027a5ec9a)	Nessus	FreeBSD Local Security Checks	high
64495	Fedora 16 : libexif-0.6.21-2.fc16 (2013-1257)	Nessus	Fedora Local Security Checks	high
64494	Fedora 17 : libexif-0.6.21-2.fc17 (2013-1244)	Nessus	Fedora Local Security Checks	high
64182	SuSE 11.1 Security Update : libexif (SAT Patch Number 6568)	Nessus	SuSE Local Security Checks	high
62599	Debian DSA-2559-1 : libexif - several vulnerabilities	Nessus	Debian Local Security Checks	high
62058	Scientific Linux Security Update : libexif on SL5.x, SL6.x i386/x86_64 (20120911)	Nessus	Scientific Linux Local Security Checks	high
62055	RHEL 5 / 6 : libexif (RHSA-2012:1255)	Nessus	Red Hat Local Security Checks	high
62047	CentOS 5 / 6 : libexif (CESA-2012:1255)	Nessus	CentOS Local Security Checks	high
61959	Mandriva Linux Security Advisory : libexif (MDVSA-2012:106)	Nessus	Mandriva Local Security Checks	high
60105	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : libexif vulnerabilities (USN-1513-1)	Nessus	Ubuntu Local Security Checks	high
60103	SuSE 10 Security Update : libexif (ZYPP Patch Number 8224)	Nessus	SuSE Local Security Checks	high
60050	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : libexif (SSA:2012-200-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2012-2841

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high