__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN libexif Security Update [Red Hat RHSA-2007:1165-4] December 21, 2007 21:00 GMT Number S-097 [REVISED 14 Feb 2008] ______________________________________________________________________________ PROBLEM: There is an infinite recursion flaw and an integer overflow flaw found in the way libexif parses Exif image tags. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable) DAMAGE: Could cause the application linked against libexif to execute arbitrary code or crash. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Could cause the application linked against ASSESSMENT: libexif to execute arbitrary code or crash. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-097.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-1165.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1487 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-6351 CVE-2007-6352 ______________________________________________________________________________ REVISION HISTORY: 02/14/2008 - revised S-097 to add a link to Debian Security Advisory DSA-1487-1 for Debian GNU/Linux 3.1 (oldstable) and 4.0 (stable). [***** Start Red Hat RHSA-2007:1165-4 *****] Moderate: libexif security update Advisory: RHSA-2007:1165-4 Type: Security Advisory Severity: Moderate Issued on: 2007-12-19 Last updated on: 2007-12-19 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20071165.xml CVEs (cve.mitre.org): CVE-2007-6351 CVE-2007-6352 Details Updated libexif packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The libexif packages contain the Exif library. Exif is an image file format specification that enables metadata tags to be added to existing JPEG, TIFF and RIFF files. The Exif library makes it possible to parse an Exif file and read this metadata. An infinite recursion flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to crash. (CVE-2007-6351) An integer overflow flaw was found in the way libexif parses Exif image tags. If a victim opens a carefully crafted Exif image file, it could cause the application linked against libexif to execute arbitrary code, or crash. (CVE-2007-6352) Users of libexif are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: libexif-devel-0.6.13-4.0.2.el5_1.1.i386.rpm eccd0c4354faa72f1aac98e074c53b4e x86_64: libexif-devel-0.6.13-4.0.2.el5_1.1.i386.rpm eccd0c4354faa72f1aac98e074c53b4e libexif-devel-0.6.13-4.0.2.el5_1.1.x86_64.rpm a4cd77aa35f9c6e302399e094ca66fef Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: libexif-0.6.13-4.0.2.el5_1.1.src.rpm 405b067a3ff329fd2f73b4edfd767837 IA-32: libexif-0.6.13-4.0.2.el5_1.1.i386.rpm 5f5e2fdebf5c7aeb88c4d25ce887edf3 libexif-devel-0.6.13-4.0.2.el5_1.1.i386.rpm eccd0c4354faa72f1aac98e074c53b4e IA-64: libexif-0.6.13-4.0.2.el5_1.1.ia64.rpm d82e96851e21bad167757e92e702904f libexif-devel-0.6.13-4.0.2.el5_1.1.ia64.rpm 5e4041135eab0541826dd5332c2114a3 PPC: libexif-0.6.13-4.0.2.el5_1.1.ppc.rpm 1045dc0f0638a436e5fb27d46a7ac953 libexif-0.6.13-4.0.2.el5_1.1.ppc64.rpm 78b8320d53f0e730eb9a7403e132605a libexif-devel-0.6.13-4.0.2.el5_1.1.ppc.rpm 70db0f13504d616e7cc33f38b4a308ca libexif-devel-0.6.13-4.0.2.el5_1.1.ppc64.rpm 5aa61322b25614936b3e0af6dbdd0770 s390x: libexif-0.6.13-4.0.2.el5_1.1.s390.rpm a4ce630587f200dac5017132df1b32bd libexif-0.6.13-4.0.2.el5_1.1.s390x.rpm e4e24274f53f54eafdab963c6827d26e libexif-devel-0.6.13-4.0.2.el5_1.1.s390.rpm 12a3e54a8e9d55063f504c68b0aee802 libexif-devel-0.6.13-4.0.2.el5_1.1.s390x.rpm 2caf7997904ed6242a03c86522bdabfc x86_64: libexif-0.6.13-4.0.2.el5_1.1.i386.rpm 5f5e2fdebf5c7aeb88c4d25ce887edf3 libexif-0.6.13-4.0.2.el5_1.1.x86_64.rpm 91d485dd3c59491db18592d70a25a59a libexif-devel-0.6.13-4.0.2.el5_1.1.i386.rpm eccd0c4354faa72f1aac98e074c53b4e libexif-devel-0.6.13-4.0.2.el5_1.1.x86_64.rpm a4cd77aa35f9c6e302399e094ca66fef Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: libexif-0.6.13-4.0.2.el5_1.1.src.rpm 405b067a3ff329fd2f73b4edfd767837 IA-32: libexif-0.6.13-4.0.2.el5_1.1.i386.rpm 5f5e2fdebf5c7aeb88c4d25ce887edf3 x86_64: libexif-0.6.13-4.0.2.el5_1.1.i386.rpm 5f5e2fdebf5c7aeb88c4d25ce887edf3 libexif-0.6.13-4.0.2.el5_1.1.x86_64.rpm 91d485dd3c59491db18592d70a25a59a (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 425551 - CVE-2007-6351 libexif infinite recursion flaw (DoS) 425561 - CVE-2007-6352 libexif integer overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6352 http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:1165-4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-087: centericq Vulnerability S-088: HP Quick Launch Button (QLB) Running on Windows Vulnerability S-089: Prolog Manager Vulnerability S-090: Apple Security Update 2007-009 S-091: MySQL Security Update S-092: Adobe Flash Player Vulnerability S-093: ClamAV Vulnerabilities S-094: IBM Lotus Domino Web Access Vulnerability S-095: Linux-2.6 Vulnerabilities S-096: Application Inspection Vulnerability in Cisco Firewall Services Module