Vulnerabilities > CVE-2020-0093 - Out-of-bounds Read vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2020-140-02.NASL description New libexif packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-05-31 modified 2020-05-20 plugin id 136729 published 2020-05-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136729 title Slackware 14.0 / 14.1 / 14.2 / current : libexif (SSA:2020-140-02) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2020-140-02. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(136729); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26"); script_cve_id("CVE-2016-6328", "CVE-2017-7544", "CVE-2018-20030", "CVE-2019-9278", "CVE-2020-0093", "CVE-2020-12767", "CVE-2020-13112", "CVE-2020-13113", "CVE-2020-13114"); script_xref(name:"SSA", value:"2020-140-02"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : libexif (SSA:2020-140-02)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New libexif packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2020&m=slackware-security.499815 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?142d0c0f" ); script_set_attribute( attribute:"solution", value:"Update the affected libexif package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9278"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:libexif"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"i486", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"libexif", pkgver:"0.6.22", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-793.NASL description This update for libexif to 0.6.22 fixes the following issues : Security issues fixed : - CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857). - CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847). - CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475). - CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121). - CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105). - CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116). Non-security issues fixed : - libexif was updated to version 0.6.22 : - New translations: ms - Updated translations for most languages - Some useful EXIF 2.3 tag added : - EXIF_TAG_GAMMA - EXIF_TAG_COMPOSITE_IMAGE - EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE - EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE - EXIF_TAG_GPS_H_POSITIONING_ERROR - EXIF_TAG_CAMERA_OWNER_NAME - EXIF_TAG_BODY_SERIAL_NUMBER - EXIF_TAG_LENS_SPECIFICATION - EXIF_TAG_LENS_MAKE - EXIF_TAG_LENS_MODEL - EXIF_TAG_LENS_SERIAL_NUMBER This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-13 modified 2020-06-12 plugin id 137392 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137392 title openSUSE Security Update : libexif (openSUSE-2020-793) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-793. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(137392); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18"); script_cve_id("CVE-2016-6328", "CVE-2017-7544", "CVE-2018-20030", "CVE-2019-9278", "CVE-2020-0093", "CVE-2020-12767", "CVE-2020-13112", "CVE-2020-13113", "CVE-2020-13114"); script_name(english:"openSUSE Security Update : libexif (openSUSE-2020-793)"); script_summary(english:"Check for the openSUSE-2020-793 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for libexif to 0.6.22 fixes the following issues : Security issues fixed : - CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857). - CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847). - CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475). - CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121). - CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105). - CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116). Non-security issues fixed : - libexif was updated to version 0.6.22 : - New translations: ms - Updated translations for most languages - Some useful EXIF 2.3 tag added : - EXIF_TAG_GAMMA - EXIF_TAG_COMPOSITE_IMAGE - EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE - EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE - EXIF_TAG_GPS_H_POSITIONING_ERROR - EXIF_TAG_CAMERA_OWNER_NAME - EXIF_TAG_BODY_SERIAL_NUMBER - EXIF_TAG_LENS_SPECIFICATION - EXIF_TAG_LENS_MAKE - EXIF_TAG_LENS_MODEL - EXIF_TAG_LENS_SERIAL_NUMBER This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1055857" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1059893" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120943" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1160770" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1171475" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1171847" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1172105" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1172116" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1172121" ); script_set_attribute( attribute:"solution", value:"Update the affected libexif packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9278"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif12-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif12-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libexif12-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"patch_publication_date", value:"2020/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"libexif-debugsource-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexif-devel-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexif12-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libexif12-debuginfo-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libexif-devel-32bit-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libexif12-32bit-0.6.22-lp151.4.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", cpu:"x86_64", reference:"libexif12-32bit-debuginfo-0.6.22-lp151.4.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libexif-debugsource / libexif-devel / libexif12 / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2222.NASL description Various minor vulnerabilities have been addredd in libexif, a library to parse EXIF metadata files. CVE-2018-20030 This issue had already been addressed via DLA-2214-1. However, upstream provided an updated patch, so this has been followed up on. CVE-2020-13112 Several buffer over-reads in EXIF MakerNote handling could have lead to information disclosure and crashes. This issue is different from already resolved CVE-2020-0093. CVE-2020-13113 Use of uninitialized memory in EXIF Makernote handling could have lead to crashes and potential use-after-free conditions. CVE-2020-13114 An unrestricted size in handling Canon EXIF MakerNote data could have lead to consumption of large amounts of compute time for decoding EXIF data. For Debian 8 last seen 2020-06-06 modified 2020-05-29 plugin id 136952 published 2020-05-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136952 title Debian DLA-2222-1 : libexif security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2222-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(136952); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18"); script_cve_id("CVE-2018-20030", "CVE-2020-13112", "CVE-2020-13113", "CVE-2020-13114"); script_name(english:"Debian DLA-2222-1 : libexif security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Various minor vulnerabilities have been addredd in libexif, a library to parse EXIF metadata files. CVE-2018-20030 This issue had already been addressed via DLA-2214-1. However, upstream provided an updated patch, so this has been followed up on. CVE-2020-13112 Several buffer over-reads in EXIF MakerNote handling could have lead to information disclosure and crashes. This issue is different from already resolved CVE-2020-0093. CVE-2020-13113 Use of uninitialized memory in EXIF Makernote handling could have lead to crashes and potential use-after-free conditions. CVE-2020-13114 An unrestricted size in handling Canon EXIF MakerNote data could have lead to consumption of large amounts of compute time for decoding EXIF data. For Debian 8 'Jessie', these problems have been fixed in version 0.6.21-2+deb8u3. We recommend that you upgrade your libexif packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/libexif" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected libexif-dev, and libexif12 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-13113"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexif-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libexif12"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libexif-dev", reference:"0.6.21-2+deb8u3")) flag++; if (deb_check(release:"8.0", prefix:"libexif12", reference:"0.6.21-2+deb8u3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2214.NASL description Various vulnerabilities have been addressed in libexif, a library to parse EXIF metadata files. CVE-2016-6328 An integer overflow when parsing the MNOTE entry data of the input file had been found. This could have caused denial of service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications last seen 2020-05-22 modified 2020-05-18 plugin id 136674 published 2020-05-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136674 title Debian DLA-2214-1 : libexif security update