Launchpad has imported 14 comments from the remote bug at https://bugzilla.novell.com/show_bug.cgi?id=771229.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-07-12T17:24:48+00:00 Meissner-i wrote: via cvs commits * Fixed bug that caused read past the end of a buffer (CVE-2012-2845) Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/0 ------------------------------------------------------------------------ On 2012-07-12T17:25:27+00:00 Meissner-i wrote: Created an attachment (id=498451) CVE-2012-2845.patch as applied by Dan Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/1 ------------------------------------------------------------------------ On 2012-07-12T17:26:46+00:00 Meissner-i wrote: Created an attachment (id=498453) CVE-2012-2814.patch CVE-2012-2814 Fixed some buffer overflows in exif_entry_format_value() Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/2 ------------------------------------------------------------------------ On 2012-07-12T17:28:00+00:00 Meissner-i wrote: Created an attachment (id=498454) CVE-2012-2840.patch CVE-2012-2840 Fixed an off-by-one error in exif_convert_utf16_to_utf8() This can cause a one-byte NUL write past the end of the buffer. Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/3 ------------------------------------------------------------------------ On 2012-07-12T17:28:37+00:00 Meissner-i wrote: Created an attachment (id=498455) CVE-2012-2813.patch CVE-2012-2813 Don't read past the end of a tag when converting from UTF-16 Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/4 ------------------------------------------------------------------------ On 2012-07-12T17:29:16+00:00 Meissner-i wrote: Created an attachment (id=498456) CVE-2012-2812.patch CVE-2012-2812 Fixed an out of bounds read on corrupted input. The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not, NUL-terminated. Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/5 ------------------------------------------------------------------------ On 2012-07-12T17:30:23+00:00 Meissner-i wrote: Created an attachment (id=498457) CVE-2012-2841.patch CVE-2012-2841 Fixed a buffer overflow problem in exif_entry_get_value If the application passed in a buffer length of 0, then it would be treated as the buffer had unlimited length. Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/6 ------------------------------------------------------------------------ On 2012-07-12T17:31:11+00:00 Meissner-i wrote: Created an attachment (id=498458) CVE-2012-2836.patch CVE-2012-2836 Fix a buffer overflow on corrupt EXIF data. This fixes bug #3434540 and fixes part of CVE-2012-2836 Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/7 ------------------------------------------------------------------------ On 2012-07-12T17:31:55+00:00 Meissner-i wrote: Created an attachment (id=498459) CVE-2012-2836-2.patch CVE-2012-2836 Fix a buffer overflow on corrupted JPEG data An unsigned data length might wrap around when decremented below zero, bypassing sanity checks on length. This code path can probably only occur if exif_data_load_data() is called directly by the application on data that wasn't parsed by libexif itself. This solves the other part of CVE-2012-2836 Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/8 ------------------------------------------------------------------------ On 2012-07-12T17:32:29+00:00 Meissner-i wrote: Created an attachment (id=498460) CVE-2012-2837.patch CVE-2012-2837 Fixed some possible division-by-zeros in Olympus-style makernotes This fixes bug #3434545, a.k.a. CVE-2012-2837 Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/9 ------------------------------------------------------------------------ On 2012-07-12T17:33:40+00:00 Meissner-i wrote: CVE-2012-2845 is actually for "exif", the commandline tool. Not the library libexif. The others are for the library. Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/10 ------------------------------------------------------------------------ On 2012-07-12T17:48:10+00:00 Meissner-i wrote: libexif/ChangeLog: 2012-07-12 Dan Fandrich <[email protected]> * Fixed some buffer overflows in exif_entry_format_value() This fixes CVE-2012-2814. Reported by Mateusz Jurczyk of Google Security Team * Fixed an off-by-one error in exif_convert_utf16_to_utf8() This can cause a one-byte NUL write past the end of the buffer. This fixes CVE-2012-2840 * Don't read past the end of a tag when converting from UTF-16 This fixes CVE-2012-2813. Reported by Mateusz Jurczyk of Google Security Team * Fixed an out of bounds read on corrupted input The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not, NUL-terminated. This fixes CVE-2012-2812. Reported by Mateusz Jurczyk of Google Security Team * Fixed a buffer overflow problem in exif_entry_get_value If the application passed in a buffer length of 0, then it would be treated as the buffer had unlimited length. This fixes CVE-2012-2841 * Fix a buffer overflow on corrupt EXIF data. This fixes bug #3434540 and fixes part of CVE-2012-2836 Reported by Yunho Kim * Fix a buffer overflow on corrupted JPEG data An unsigned data length might wrap around when decremented below zero, bypassing sanity checks on length. This code path can probably only occur if exif_data_load_data() is called directly by the application on data that wasn't parsed by libexif itself. This solves the other part of CVE-2012-2836 * Fixed some possible division-by-zeros in Olympus-style makernotes This fixes bug #3434545, a.k.a. CVE-2012-2837 Reported by Yunho Kim Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/11 ------------------------------------------------------------------------ On 2012-07-12T22:00:15+00:00 Swamp-a wrote: bugbot adjusting priority Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/12 ------------------------------------------------------------------------ On 2012-07-13T14:12:34+00:00 Swamp-a wrote: The SWAMPID for this issue is 48261. This issue was rated as important. Please submit fixed packages until 2012-07-20. When done, please reassign the bug to [email protected]. Patchinfo will be handled by security team. Reply at: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/comments/14 ** Changed in: libexif (openSUSE) Status: Unknown => Confirmed ** Changed in: libexif (openSUSE) Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1024213 Title: libexif 0.6.21 and exif 0.6.21 were released to fix various overflows and related issues. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libexif/+bug/1024213/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
