openSUSE Security Update : libexif (openSUSE-2020-793)

critical Nessus Plugin ID 137392

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for libexif to 0.6.22 fixes the following issues :

Security issues fixed :

- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).

- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).

- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).

- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).

- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).

- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).

- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).

- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).

- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).

Non-security issues fixed :

- libexif was updated to version 0.6.22 :

- New translations: ms

- Updated translations for most languages

- Some useful EXIF 2.3 tag added :

- EXIF_TAG_GAMMA

- EXIF_TAG_COMPOSITE_IMAGE

- EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE

- EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE

- EXIF_TAG_GPS_H_POSITIONING_ERROR

- EXIF_TAG_CAMERA_OWNER_NAME

- EXIF_TAG_BODY_SERIAL_NUMBER

- EXIF_TAG_LENS_SPECIFICATION

- EXIF_TAG_LENS_MAKE

- EXIF_TAG_LENS_MODEL

- EXIF_TAG_LENS_SERIAL_NUMBER

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected libexif packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1055857

https://bugzilla.opensuse.org/show_bug.cgi?id=1059893

https://bugzilla.opensuse.org/show_bug.cgi?id=1120943

https://bugzilla.opensuse.org/show_bug.cgi?id=1160770

https://bugzilla.opensuse.org/show_bug.cgi?id=1171475

https://bugzilla.opensuse.org/show_bug.cgi?id=1171847

https://bugzilla.opensuse.org/show_bug.cgi?id=1172105

https://bugzilla.opensuse.org/show_bug.cgi?id=1172116

https://bugzilla.opensuse.org/show_bug.cgi?id=1172121

Plugin Details

Severity: Critical

ID: 137392

File Name: openSUSE-2020-793.nasl

Version: 1.3

Type: local

Agent: unix

Published: 6/12/2020

Updated: 5/16/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2019-9278

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libexif-debugsource, p-cpe:/a:novell:opensuse:libexif-devel, p-cpe:/a:novell:opensuse:libexif-devel-32bit, p-cpe:/a:novell:opensuse:libexif12, p-cpe:/a:novell:opensuse:libexif12-32bit, p-cpe:/a:novell:opensuse:libexif12-32bit-debuginfo, p-cpe:/a:novell:opensuse:libexif12-debuginfo, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 6/11/2020

Vulnerability Publication Date: 9/21/2017

Reference Information

CVE: CVE-2016-6328, CVE-2017-7544, CVE-2018-20030, CVE-2019-9278, CVE-2020-0093, CVE-2020-12767, CVE-2020-13112, CVE-2020-13113, CVE-2020-13114