BID:23927

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

Info

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

Bugtraq ID:	23927
Class:	Boundary Condition Error
CVE:	CVE-2007-2645
Remote:	Yes
Local:	No
Published:	May 11 2007 12:00AM
Updated:	Mar 19 2015 09:23AM
Credit:	Victor Stinner discovered this issue.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux wizpy 0 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux Appliance Server 2.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 libexif libexif 0.6.13 libexif libexif 0.6.12 libexif libexif 0.6.11 libexif libexif 0.6.9 + S.u.S.E. Linux Personal 9.3 + S.u.S.E. Linux Personal 9.2 x86_64 + S.u.S.E. Linux Personal 9.2 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 libexif libexif 0.5.12 + Gentoo Linux + Red Hat Enterprise Linux AS 4 + Red Hat Fedora Core3 + Red Hat Fedora Core2 + RedHat Desktop 4.0 + RedHat Enterprise Linux Desktop version 4 + RedHat Enterprise Linux ES 4 + RedHat Enterprise Linux WS 4 libexif libexif 0.5 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 Gentoo Linux Foresight Linux Foresight Linux 1.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0

Not Vulnerable:	libexif libexif 0.6.14

Discussion

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

The libexif library is prone to an integer-overflow vulnerability because the software fails to properly ensure that integer math operations do not result in overflows.

Successful exploits of this vulnerability allow remote attackers to execute arbitrary machine code in the context of an application using the vulnerable library. Failed attempts will likely result in denial-of-service conditions.

Versions of libexif prior to 0.6.14 are vulnerable to this issue.

Exploit / POC

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

The following proof-of-concept JPG file demonstrates this issue by crashing the library:

/data/vulnerabilities/exploits/crash_libexif.jpg

Solution / Fix

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

Solution:
The vendor has released version 0.6.14 to address this issue. Please see the references for more information.

libexif libexif 0.5

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

libexif libexif 0.5.12

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

libexif libexif 0.6.11

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

libexif libexif 0.6.12

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

libexif libexif 0.6.13

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

libexif libexif 0.6.9

libexif libexif-0.6.14.tar.bz2
http://downloads.sourceforge.net/libexif/libexif-0.6.14.tar.bz2?modtim e=1178817867&big_mirror=0

References

LibEXIF Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability

References:

[ 1716196 ] Serious security bug in exif_data_load_data_entry() (Libexif)
libexif Homepage (libexif)
Release Name: 0.6.14 (Libexif)