Vulnerabilities > CVE-2007-6355 - Numeric Errors vulnerability in Aertherwide Exiftags

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
aertherwide
CWE-189
critical
nessus

Summary

Integer overflow in exiftags before 1.01 has unknown impact and attack vectors, resulting from a "field offset overflow" that triggers an "illegal memory access," a different vulnerability than CVE-2007-6354.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1533.NASL
    descriptionChristian Schmid and Meder Kydyraliev (Google Security) discovered a number of vulnerabilities in exiftags, a utility for extracting EXIF metadata from JPEG images. The Common Vulnerabilities and Exposures project identified the following three problems : - CVE-2007-6354 Inadequate EXIF property validation could lead to invalid memory accesses if executed on a maliciously crafted image, potentially including heap corruption and the execution of arbitrary code. - CVE-2007-6355 Flawed data validation could lead to integer overflows, causing other invalid memory accesses, also with the potential for memory corruption or arbitrary code execution. - CVE-2007-6356 Cyclical EXIF image file directory (IFD) references could cause a denial of service (infinite loop).
    last seen2020-06-01
    modified2020-06-02
    plugin id31710
    published2008-03-31
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31710
    titleDebian DSA-1533-2 : exiftags - insufficient input sanitizing
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1533. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31710);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2007-6354", "CVE-2007-6355", "CVE-2007-6356");
      script_xref(name:"DSA", value:"1533");
    
      script_name(english:"Debian DSA-1533-2 : exiftags - insufficient input sanitizing");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Christian Schmid and Meder Kydyraliev (Google Security) discovered a
    number of vulnerabilities in exiftags, a utility for extracting EXIF
    metadata from JPEG images. The Common Vulnerabilities and Exposures
    project identified the following three problems :
    
      - CVE-2007-6354
        Inadequate EXIF property validation could lead to
        invalid memory accesses if executed on a maliciously
        crafted image, potentially including heap corruption and
        the execution of arbitrary code.
    
      - CVE-2007-6355
        Flawed data validation could lead to integer overflows,
        causing other invalid memory accesses, also with the
        potential for memory corruption or arbitrary code
        execution.
    
      - CVE-2007-6356
        Cyclical EXIF image file directory (IFD) references
        could cause a denial of service (infinite loop)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457062"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6354"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6355"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6356"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1533"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the oldstable distribution (sarge), these problems have been fixed
    in version 0.98-1.1+0sarge1.
    
    For the stable distribution (etch), these problems have been fixed in
    version 0.98-1.1+etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exiftags");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"exiftags", reference:"0.98-1.1+0sarge1")) flag++;
    if (deb_check(release:"4.0", prefix:"exiftags", reference:"0.98-1.1+etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200712-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200712-17 (exiftags: Multiple vulnerabilities) Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). Impact : An attacker could entice the user of an application making use of exiftags or an application included in exiftags to load an image file with specially crafted Exif tags, possibly resulting in the execution of arbitrary code with the privileges of the user running the application or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id29814
    published2007-12-31
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29814
    titleGLSA-200712-17 : exiftags: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200712-17.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29814);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-6354", "CVE-2007-6355", "CVE-2007-6356");
      script_xref(name:"GLSA", value:"200712-17");
    
      script_name(english:"GLSA-200712-17 : exiftags: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200712-17
    (exiftags: Multiple vulnerabilities)
    
        Meder Kydyraliev (Google Security) discovered that Exif metadata is not
        properly sanitized before being processed, resulting in illegal memory
        access in the postprop() and other functions (CVE-2007-6354). He also
        discovered integer overflow vulnerabilities in the parsetag() and other
        functions (CVE-2007-6355) and an infinite recursion in the readifds()
        function caused by recursive IFD references (CVE-2007-6356).
      
    Impact :
    
        An attacker could entice the user of an application making use of
        exiftags or an application included in exiftags to load an image file
        with specially crafted Exif tags, possibly resulting in the execution
        of arbitrary code with the privileges of the user running the
        application or a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200712-17"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All exiftags users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-gfx/exiftags-1.01'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:exiftags");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/12/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-gfx/exiftags", unaffected:make_list("ge 1.01"), vulnerable:make_list("lt 1.01"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exiftags");
    }