SB2018100815 - Out-of-bounds read in libexif (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2017-7544)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper length computation of the allocated data of an ExifMnote entry within the exif_data_save_data_entry() function in libexif/exif-data.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=726529dabef044127d02831c4b26fa6c6fc9d5f5
• https://git.alpinelinux.org/aports/commit/?id=7d1a8137daa5c1f5312ad957dc1857027b8999df
• https://git.alpinelinux.org/aports/commit/?id=9959b863135bbaa1251dbddfa038c9256e155702
• https://git.alpinelinux.org/aports/commit/?id=9c864a085a20499496aab142a86894a1cf077c2b
• https://git.alpinelinux.org/aports/commit/?id=b460ad4de2df16efc538a9a15faa2212581e22de
• https://git.alpinelinux.org/aports/commit/?id=25e29eca7dbe7c1ae3fdc95c0bb3557a44716631
• https://git.alpinelinux.org/aports/commit/?id=4eb3b8d8844dfbdd468f65f499d7634db7936bef
• https://git.alpinelinux.org/aports/commit/?id=a8e558ca77e892a8c3b1b691d6c3c4bd531b98be
• https://git.alpinelinux.org/aports/commit/?id=40b6f3c41a4ccacd5dcf94d4d4e9f3e93409c73c
• https://git.alpinelinux.org/aports/commit/?id=9d34941961856b21028cb4a838a1218a8edf332b
• https://git.alpinelinux.org/aports/commit/?id=a2814fe38aa7c4c7fe2370f2057f9b1f0246424d
• https://git.alpinelinux.org/aports/commit/?id=a9d9f445b7e40ed463fcdb320cd88cde20b3c714
• https://git.alpinelinux.org/aports/commit/?id=cbc4ecf8e7c6c9368d52cb2080d2fed92b853ea3