[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200712-17.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200712-17.xml
Date:	Sat, 29 Dec 2007 13:52:16
Message-Id:	`E1J8c6j-0001wQ-GD@stork.gentoo.org`

1

py          07/12/29 13:52:09

2

3

  Added:                glsa-200712-17.xml

4

  Log:

5

  GLSA 200712-17

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200712-17.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-17.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-17.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200712-17.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200712-17">

21

  <title>exiftags: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities in exiftags possibly allow for the execution of

24

    arbitrary code or a Denial of Service.

25

  </synopsis>

26

  <product type="ebuild">exiftags</product>

27

  <announced>December 29, 2007</announced>

28

  <revised>December 29, 2007: 01</revised>

29

  <bug>202354</bug>

30

  <access>remote</access>

31

  <affected>

32

    <package name="media-gfx/exiftags" auto="yes" arch="*">

33

      <unaffected range="ge">1.01</unaffected>

34

      <vulnerable range="lt">1.01</vulnerable>

35

    </package>

36

  </affected>

37

  <background>

38

<p>

39

    exiftags is a library and set of tools for parsing, editing and saving

40

    Exif metadata from images. Exif, the Exchangeable image file format,

41

    specifies the addition of metadata tags to JPEG, TIFF and RIFF files.

42

    </p>

43

  </background>

44

  <description>

45

<p>

46

    Meder Kydyraliev (Google Security) discovered that Exif metadata is not

47

    properly sanitized before being processed, resulting in illegal memory

48

    access in the postprop() and other functions (CVE-2007-6354). He also

49

    discovered integer overflow vulnerabilities in the parsetag() and other

50

    functions (CVE-2007-6355) and an infinite recursion in the readifds()

51

    function caused by recursive IFD references (CVE-2007-6356).

52

    </p>

53

  </description>

54

  <impact type="normal">

55

<p>

56

    An attacker could entice the user of an application making use of

57

    exiftags or an application included in exiftags to load an image file

58

    with specially crafted Exif tags, possibly resulting in the execution

59

    of arbitrary code with the privileges of the user running the

60

    application or a Denial of Service.

61

    </p>

62

  </impact>

63

  <workaround>

64

<p>

65

    There is no known workaround at this time.

66

    </p>

67

  </workaround>

68

  <resolution>

69

<p>

70

    All exiftags users should upgrade to the latest version:

71

    </p>

72

    <code>

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose &quot;&gt;=media-gfx/exiftags-1.01&quot;</code>

75

  </resolution>

76

  <references>

77

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6354">CVE-2007-6354</uri>

78

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6355">CVE-2007-6355</uri>

79

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6356">CVE-2007-6356</uri>

80

  </references>

81

  <metadata tag="requester" timestamp="Tue, 18 Dec 2007 01:37:57 +0000">

82

rbu

83

  </metadata>

84

  <metadata tag="submitter" timestamp="Sun, 23 Dec 2007 19:27:52 +0000">

85

rbu

86

  </metadata>

87

  <metadata tag="bugReady" timestamp="Sun, 23 Dec 2007 19:28:18 +0000">

88

rbu

89

  </metadata>

90

</glsa>

--

95

gentoo-commits@g.o mailing list

1	py 07/12/29 13:52:09
2
3	Added: glsa-200712-17.xml
4	Log:
5	GLSA 200712-17
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200712-17.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-17.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200712-17.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200712-17.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200712-17">
21	<title>exiftags: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities in exiftags possibly allow for the execution of
24	arbitrary code or a Denial of Service.
25	</synopsis>
26	<product type="ebuild">exiftags</product>
27	<announced>December 29, 2007</announced>
28	<revised>December 29, 2007: 01</revised>
29	<bug>202354</bug>
30	<access>remote</access>
31	<affected>
32	<package name="media-gfx/exiftags" auto="yes" arch="*">
33	<unaffected range="ge">1.01</unaffected>
34	<vulnerable range="lt">1.01</vulnerable>
35	</package>
36	</affected>
37	<background>
38	<p>
39	exiftags is a library and set of tools for parsing, editing and saving
40	Exif metadata from images. Exif, the Exchangeable image file format,
41	specifies the addition of metadata tags to JPEG, TIFF and RIFF files.
42	</p>
43	</background>
44	<description>
45	<p>
46	Meder Kydyraliev (Google Security) discovered that Exif metadata is not
47	properly sanitized before being processed, resulting in illegal memory
48	access in the postprop() and other functions (CVE-2007-6354). He also
49	discovered integer overflow vulnerabilities in the parsetag() and other
50	functions (CVE-2007-6355) and an infinite recursion in the readifds()
51	function caused by recursive IFD references (CVE-2007-6356).
52	</p>
53	</description>
54	<impact type="normal">
55	<p>
56	An attacker could entice the user of an application making use of
57	exiftags or an application included in exiftags to load an image file
58	with specially crafted Exif tags, possibly resulting in the execution
59	of arbitrary code with the privileges of the user running the
60	application or a Denial of Service.
61	</p>
62	</impact>
63	<workaround>
64	<p>
65	There is no known workaround at this time.
66	</p>
67	</workaround>
68	<resolution>
69	<p>
70	All exiftags users should upgrade to the latest version:
71	</p>
72	<code>
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=media-gfx/exiftags-1.01"</code>
75	</resolution>
76	<references>
77	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6354">CVE-2007-6354</uri>
78	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6355">CVE-2007-6355</uri>
79	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6356">CVE-2007-6356</uri>
80	</references>
81	<metadata tag="requester" timestamp="Tue, 18 Dec 2007 01:37:57 +0000">
82	rbu
83	</metadata>
84	<metadata tag="submitter" timestamp="Sun, 23 Dec 2007 19:27:52 +0000">
85	rbu
86	</metadata>
87	<metadata tag="bugReady" timestamp="Sun, 23 Dec 2007 19:28:18 +0000">
88	rbu
89	</metadata>
90	</glsa>
91
92
93
94	--
95	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits