[Security Announce] [ MDKSA-2007:118 ] - Updated libexif packages fix crash and possible arbitrary code execution issue
Posted on: 06/08/2007 10:35 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:118
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libexif
Date : June 8, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

Integer overflow in the exif_data_load_data_entry function in
exif-data.c in libexif before 0.6.14 allows user-assisted remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via crafted EXIF data.

Updated packages have been patched to prevent this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
8de9838c6688aa2502eb58fda312003a 2007.0/i586/libexif12-0.6.13-2.1mdv2007.0.i586.rpm
580e145204195974bc7c952172c446b3 2007.0/i586/libexif12-devel-0.6.13-2.1mdv2007.0.i586.rpm
d844f09d409daecc2389db2676e50873 2007.0/SRPMS/libexif-0.6.13-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
3a12325160f97f932e9219204cbc7530 2007.0/x86_64/lib64exif12-0.6.13-2.1mdv2007.0.x86_64.rpm
923cd72076fad582cf2c4797205f40e9 2007.0/x86_64/lib64exif12-devel-0.6.13-2.1mdv2007.0.x86_64.rpm
d844f09d409daecc2389db2676e50873 2007.0/SRPMS/libexif-0.6.13-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.1:
72c028dc116ab801193597474a97b5dd 2007.1/i586/libexif12-0.6.13-4.1mdv2007.1.i586.rpm
1603116edb2e3c2ff7dab21e55918c37 2007.1/i586/libexif12-devel-0.6.13-4.1mdv2007.1.i586.rpm
af9f57cbcb05284a5b3b9f40cb9ebfb0 2007.1/SRPMS/libexif-0.6.13-4.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
cd26e48c6bb15bad651254f893e73e1f 2007.1/x86_64/lib64exif12-0.6.13-4.1mdv2007.1.x86_64.rpm
e7b605766d1c4a345d6691a725defc87 2007.1/x86_64/lib64exif12-devel-0.6.13-4.1mdv2007.1.x86_64.rpm
af9f57cbcb05284a5b3b9f40cb9ebfb0 2007.1/SRPMS/libexif-0.6.13-4.1mdv2007.1.src.rpm

Corporate 3.0:
7006c28a35c773a399990c5920093996 corporate/3.0/i586/libexif9-0.5.12-3.2.C30mdk.i586.rpm
513cc72e7240fec7f445aec15411ecf6 corporate/3.0/i586/libexif9-devel-0.5.12-3.2.C30mdk.i586.rpm
aa33d9f4305d33eedb1dcb03e0160340 corporate/3.0/SRPMS/libexif-0.5.12-3.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
2ed9200d78941a8e8028d0863edf21ef corporate/3.0/x86_64/lib64exif9-0.5.12-3.2.C30mdk.x86_64.rpm
d6782377ec44ed36da7b79e314889298 corporate/3.0/x86_64/lib64exif9-devel-0.5.12-3.2.C30mdk.x86_64.rpm
aa33d9f4305d33eedb1dcb03e0160340 corporate/3.0/SRPMS/libexif-0.5.12-3.2.C30mdk.src.rpm

Corporate 4.0:
59c79de51e734476082d2e8441b37379 corporate/4.0/i586/libexif12-0.6.12-2.1.20060mlcs4.i586.rpm
bdd1f9b7048916221b20ef6beca09046 corporate/4.0/i586/libexif12-devel-0.6.12-2.1.20060mlcs4.i586.rpm
fb63127c388f24483317139078f311f4 corporate/4.0/SRPMS/libexif-0.6.12-2.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
b7e02d89a1ecd4b70e581f86d347b0f5 corporate/4.0/x86_64/lib64exif12-0.6.12-2.1.20060mlcs4.x86_64.rpm
caa2c7e5c2ac078626ae89b1fab07406 corporate/4.0/x86_64/lib64exif12-devel-0.6.12-2.1.20060mlcs4.x86_64.rpm
fb63127c388f24483317139078f311f4 corporate/4.0/SRPMS/libexif-0.6.12-2.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGaZ0KmqjQ0CJFipgRAqEJAKDDwR4i+fRIXeY+YZdsKh3uJkYiwACcDsaB
Kd06KyCkkSIKZ+qWDpxO3CQ=
=5OTS
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007118__updated_libexif_packages_fix_crash_and_possible_arbitrary_code_execution_issue.html)