Rapid7 Vulnerability & Exploit Database

RHSA-2012:1255: libexif security update

Back to Search

RHSA-2012:1255: libexif security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
07/13/2012
Created
07/25/2018
Added
09/17/2012
Modified
07/04/2017

Description

The libexif packages provide an Exchangeable image file format (Exif)library. Exif allows metadata to be added to and read from certain typesof image files.Multiple flaws were found in the way libexif processed Exif tags. Anattacker could create a specially-crafted image file that, when opened inan application linked against libexif, could cause the application tocrash or, potentially, execute arbitrary code with the privileges of theuser running the application. (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814,CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841)Red Hat would like to thank Dan Fandrich for reporting these issues.Upstream acknowledges Mateusz Jurczyk of the Google Security Team as theoriginal reporter of CVE-2012-2812, CVE-2012-2813, and CVE-2012-2814; andYunho Kim as the original reporter of CVE-2012-2836 and CVE-2012-2837.Users of libexif are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. All runningapplications linked against libexif must be restarted for the update totake effect.

Solution(s)

  • redhat-upgrade-libexif
  • redhat-upgrade-libexif-debuginfo
  • redhat-upgrade-libexif-devel

References

  • redhat-upgrade-libexif
  • redhat-upgrade-libexif-debuginfo
  • redhat-upgrade-libexif-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;