tags 457330 + patch thanks Hi Frederic, just in case you have no time and to provide the patches I attached a patch for an NMU to fix this. It will be also archived on: http://people.debian.org/~nion/nmu-diff/libexif-0.6.16-2_0.6.16-2.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u libexif-0.6.16/debian/patches/00list libexif-0.6.16/debian/patches/00list
--- libexif-0.6.16/debian/patches/00list
+++ libexif-0.6.16/debian/patches/00list
@@ -3,0 +4,2 @@
+CVE-2007-6351
+CVE-2007-6352
diff -u libexif-0.6.16/debian/changelog libexif-0.6.16/debian/changelog
--- libexif-0.6.16/debian/changelog
+++ libexif-0.6.16/debian/changelog
@@ -1,3 +1,16 @@
+libexif (0.6.16-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issues:
+ - possible denial of service attack via crafted
+ image file leading to an infinite recursion in the
+ exif-loader.c (CVE-2007-6351; Closes: #457330).
+ - integer overflow in exif-data.c triggered by a crafted
+ image file could lead to arbitrary code execution
+ (CVE-2007-6352; Closes: #457330).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Fri, 21 Dec 2007 17:13:58 +0100
+
libexif (0.6.16-2) unstable; urgency=low
* debian/libexif12.docs: added README file (closes: #434773)
only in patch2:
unchanged:
--- libexif-0.6.16.orig/debian/patches/CVE-2007-6352.dpatch
+++ libexif-0.6.16/debian/patches/CVE-2007-6352.dpatch
@@ -0,0 +1,23 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-6352.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad libexif-0.6.16~/libexif/exif-data.c libexif-0.6.16/libexif/exif-data.c
+--- libexif-0.6.16~/libexif/exif-data.c 2007-06-12 15:01:54.000000000 +0200
++++ libexif-0.6.16/libexif/exif-data.c 2007-12-21 17:13:15.000000000 +0100
+@@ -288,10 +288,9 @@
+ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ unsigned int ds, ExifLong offset, ExifLong size)
+ {
+- if (ds < offset + size) {
++ if (ds < offset + size || (offset < 0) || (size < 0) || (offset + size < offset)) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Bogus thumbnail offset and size: %i < %i + %i.",
+- (int) ds, (int) offset, (int) size);
++ "Bogus thumbnail offset and size");
+ return;
+ }
+ if (data->data)
only in patch2:
unchanged:
--- libexif-0.6.16.orig/debian/patches/CVE-2007-6351.dpatch
+++ libexif-0.6.16/debian/patches/CVE-2007-6351.dpatch
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-6351.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad libexif-0.6.16~/libexif/exif-loader.c libexif-0.6.16/libexif/exif-loader.c
+--- libexif-0.6.16~/libexif/exif-loader.c 2006-10-03 21:41:36.000000000 +0200
++++ libexif-0.6.16/libexif/exif-loader.c 2007-12-21 17:12:36.000000000 +0100
+@@ -176,6 +176,9 @@
+ break;
+ }
+
++ if(!len)
++ return 1;
++
+ exif_log (eld->log, EXIF_LOG_CODE_DEBUG, "ExifLoader",
+ "Scanning %i byte(s) of data...", len);
+
pgpvbgv95eQqu.pgp
Description: PGP signature
