Mandriva Linux Security Advisory : libexif (MDVSA-2012:106)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been discovered and corrected in
libexif :

A heap-based out-of-bounds array read in the exif_entry_get_value
function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows
remote attackers to cause a denial of service or possibly obtain
potentially sensitive information from process memory via an image
with crafted EXIF tags (CVE-2012-2812).

A heap-based out-of-bounds array read in the
exif_convert_utf16_to_utf8 function in libexif/exif-entry.c in libexif
0.6.20 and earlier allows remote attackers to cause a denial of
service or possibly obtain potentially sensitive information from
process memory via an image with crafted EXIF tags (CVE-2012-2813).

A buffer overflow in the exif_entry_format_value function in
libexif/exif-entry.c in libexif 0.6.20 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via an
image with crafted EXIF tags (CVE-2012-2814).

A heap-based out-of-bounds array read in the exif_data_load_data
function in libexif 0.6.20 and earlier allows remote attackers to
cause a denial of service or possibly obtain potentially sensitive
information from process memory via an image with crafted EXIF tags
(CVE-2012-2836).

A divide-by-zero error in the mnote_olympus_entry_get_value function
while formatting EXIF maker note tags in libexif 0.6.20 and earlier
allows remote attackers to cause a denial of service via an image with
crafted EXIF tags (CVE-2012-2837).

An off-by-one error in the exif_convert_utf16_to_utf8 function in
libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote
attackers to cause a denial of service or possibly execute arbitrary
code via an image with crafted EXIF tags (CVE-2012-2840).

An integer underflow in the exif_entry_get_value function can cause a
heap overflow and potentially arbitrary code execution while
formatting an EXIF tag, if the function is called with a buffer size
parameter equal to zero or one (CVE-2012-2841).

The updated packages have been upgraded to the 0.6.21 version which is
not vulnerable to these issues.

See also :

http://sourceforge.net/mailarchive/message.php?msg_id=29534027

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 61959 ()

Bugtraq ID:

CVE ID: CVE-2012-2812
CVE-2012-2813
CVE-2012-2814
CVE-2012-2836
CVE-2012-2837
CVE-2012-2840
CVE-2012-2841

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now