Out-of-bounds Write Affecting libexif package, versions <0.6.21-1ubuntu1+esm1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1404-LIBEXIF-534492
- published 11 Nov 2019
- disclosed 27 Sep 2019
How to fix?
Upgrade Ubuntu:14.04
libexif
to version 0.6.21-1ubuntu1+esm1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libexif
package and not the libexif
package as distributed by Ubuntu
.
See How to fix?
for Ubuntu:14.04
relevant fixed versions and status.
In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9278
- https://seclists.org/bugtraq/2020/Feb/9
- https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566
- https://github.com/libexif/libexif/issues/26
- https://www.debian.org/security/2020/dsa-4618
- https://security-tracker.debian.org/tracker/CVE-2019-9278
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/
- https://security.gentoo.org/glsa/202007-05
- https://source.android.com/security/bulletin/android-10
- https://lists.debian.org/debian-lts-announce/2020/02/msg00007.html
- http://www.openwall.com/lists/oss-security/2019/11/07/1
- http://www.openwall.com/lists/oss-security/2019/10/25/17
- http://www.openwall.com/lists/oss-security/2019/10/27/1
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html
- https://usn.ubuntu.com/4277-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO2VTHD7OLPJDCJBHKUQTBAHZOBBCF6X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VA5BPQLOFXIZOOJHBYDU635Z5KLUMTDD/