[Security Announce] [ MDKSA-2007:128 ] - Updated libexif packages fix integer overflow flaw
Posted on: 06/20/2007 02:05 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:128
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libexif
Date : June 19, 2007
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

Another integer overflow was found in the way libexif parses EXIF
image tags. An individual who opened a carefully-crafted EXIF image
file could cause the application linked against libexif to crash or
possibly execute arbitrary code.

Updated packages have been patched to prevent this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4168
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
aea52b8b415d79199555b138040dc117 2007.0/i586/libexif12-0.6.13-2.2mdv2007.0.i586.rpm
235324d550727d73e80953bf0b70b7fe 2007.0/i586/libexif12-devel-0.6.13-2.2mdv2007.0.i586.rpm
77a2d90649912764b5f23b94fbc09bf9 2007.0/SRPMS/libexif-0.6.13-2.2mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
c6bf402af2d36bc636a4b53682b4279d 2007.0/x86_64/lib64exif12-0.6.13-2.2mdv2007.0.x86_64.rpm
7c16cb8228769253a61fb223e6ac5015 2007.0/x86_64/lib64exif12-devel-0.6.13-2.2mdv2007.0.x86_64.rpm
77a2d90649912764b5f23b94fbc09bf9 2007.0/SRPMS/libexif-0.6.13-2.2mdv2007.0.src.rpm

Mandriva Linux 2007.1:
76ac34860308ac16c0ddc0457684ac39 2007.1/i586/libexif12-0.6.13-4.2mdv2007.1.i586.rpm
4610d01483922b4b8e18a586405257f7 2007.1/i586/libexif12-devel-0.6.13-4.2mdv2007.1.i586.rpm
de1465368f5eca18797b77287bd0e425 2007.1/SRPMS/libexif-0.6.13-4.2mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
1a92e5266b5a92e39f4b9343fc16554a 2007.1/x86_64/lib64exif12-0.6.13-4.2mdv2007.1.x86_64.rpm
d2d151b5163ae6ffe99ccba69d3afcce 2007.1/x86_64/lib64exif12-devel-0.6.13-4.2mdv2007.1.x86_64.rpm
de1465368f5eca18797b77287bd0e425 2007.1/SRPMS/libexif-0.6.13-4.2mdv2007.1.src.rpm

Corporate 3.0:
d35e56a5dbee270b4dac92cd0e23bf10 corporate/3.0/i586/libexif9-0.5.12-3.3.C30mdk.i586.rpm
0b519895a69a6c03134a02c1ec8f1fbd corporate/3.0/i586/libexif9-devel-0.5.12-3.3.C30mdk.i586.rpm
7739d6573e2bf53148532394a6467af7 corporate/3.0/SRPMS/libexif-0.5.12-3.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
9edbd655e6fd38a12f6e7722dbb5d50f corporate/3.0/x86_64/lib64exif9-0.5.12-3.3.C30mdk.x86_64.rpm
d2a879e2b1a030012eb6e49764b8869d corporate/3.0/x86_64/lib64exif9-devel-0.5.12-3.3.C30mdk.x86_64.rpm
d35e56a5dbee270b4dac92cd0e23bf10 corporate/3.0/x86_64/libexif9-0.5.12-3.3.C30mdk.i586.rpm
7739d6573e2bf53148532394a6467af7 corporate/3.0/SRPMS/libexif-0.5.12-3.3.C30mdk.src.rpm

Corporate 4.0:
1aa75c3c68ba6a52c513a3c96238d12e corporate/4.0/i586/libexif12-0.6.12-2.2.20060mlcs4.i586.rpm
cde17b0c57044d132016a3be579bbbae corporate/4.0/i586/libexif12-devel-0.6.12-2.2.20060mlcs4.i586.rpm
1a09002fd17721aca1c29fc4e971c38b corporate/4.0/SRPMS/libexif-0.6.12-2.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
41c47eed02c3780cd5394a93f9d793f6 corporate/4.0/x86_64/lib64exif12-0.6.12-2.2.20060mlcs4.x86_64.rpm
78b6c776e2b71d96d6125c32838a6584 corporate/4.0/x86_64/lib64exif12-devel-0.6.12-2.2.20060mlcs4.x86_64.rpm
1aa75c3c68ba6a52c513a3c96238d12e corporate/4.0/x86_64/libexif12-0.6.12-2.2.20060mlcs4.i586.rpm
cde17b0c57044d132016a3be579bbbae corporate/4.0/x86_64/libexif12-devel-0.6.12-2.2.20060mlcs4.i586.rpm
1a09002fd17721aca1c29fc4e971c38b corporate/4.0/SRPMS/libexif-0.6.12-2.2.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGeEekmqjQ0CJFipgRAmhJAJ9zUqX5PY2gtCcWewFIPsTk4LT7uQCggWmo
70HSRJ9MNadqZ46Ui1UAuk0=
=Fwpz
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007128__updated_libexif_packages_fix_integer_overflow_flaw.html)