#130 libexif-0.6.21 Heap Buffer Overflow due to a programming mistake
Overview
One heap-based out-of-bounds read vulnerabiltiy exists in libexif-0.6.21. When saving the data of an entry tagged with “EXIF_TAG_MAKER_NOTE” to a buffer and copying the data of the exif entry, there is a mismatch between the computed read size of the entry data and the size of the allocated entry data. The vulnerability can cause Denial-of-Service, even Information Disclosure (disclosing some critical heap chunk metadata, even other applications’ private data).
Analysis and PoC
The detailed analysis report and PoC files can be found in the attachment. In order to avoid disclosing it before release of patch, I have encrypted the zip file (libexif-report-and-pocs-64bit.zip). Developers can communicate with me to get the password.
Author
name: Lili Xu @ VARAS of IIE
email: xulili912@gmail.com
org: IIE (http://iie.ac.cn)
Note
I have also reported this to RedHat Security Team.
will be taking this (even if the bvugtracker does not let me assign myself :)
not sure if it's the same bug, but looks like the same based on the description. Check the bug report #129.
I applied this fix to CVS.
RedHat Security Team has assigned a CVE number to this issue. The CVE number is CVE-2017-7544.
This is fixed in 0.6.22