Security update for libexif SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0264-1 Final 1 1 2020-03-01T13:14:15Z current 2020-03-01T13:14:15Z 2020-03-01T13:14:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libexif This update for libexif fixes the following issues: - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-264 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N3W2XLWGGOGKFWMYDWO7BNL4BPWKDWQB/ E-Mail link for openSUSE-SU-2020:0264-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1120943 SUSE Bug 1120943 https://bugzilla.suse.com/1160770 SUSE Bug 1160770 https://www.suse.com/security/cve/CVE-2018-20030/ SUSE CVE CVE-2018-20030 page https://www.suse.com/security/cve/CVE-2019-9278/ SUSE CVE CVE-2019-9278 page openSUSE Leap 15.1 libexif-devel-0.6.21-lp151.4.3.1 libexif-devel-32bit-0.6.21-lp151.4.3.1 libexif12-0.6.21-lp151.4.3.1 libexif12-32bit-0.6.21-lp151.4.3.1 libexif-devel-0.6.21-lp151.4.3.1 as a component of openSUSE Leap 15.1 libexif-devel-32bit-0.6.21-lp151.4.3.1 as a component of openSUSE Leap 15.1 libexif12-0.6.21-lp151.4.3.1 as a component of openSUSE Leap 15.1 libexif12-32bit-0.6.21-lp151.4.3.1 as a component of openSUSE Leap 15.1 An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources. CVE-2018-20030 openSUSE Leap 15.1:libexif-devel-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif-devel-32bit-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif12-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif12-32bit-0.6.21-lp151.4.3.1 low 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N3W2XLWGGOGKFWMYDWO7BNL4BPWKDWQB/ https://www.suse.com/security/cve/CVE-2018-20030.html CVE-2018-20030 https://bugzilla.suse.com/1120943 SUSE Bug 1120943 In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774 CVE-2019-9278 openSUSE Leap 15.1:libexif-devel-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif-devel-32bit-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif12-0.6.21-lp151.4.3.1 openSUSE Leap 15.1:libexif12-32bit-0.6.21-lp151.4.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/N3W2XLWGGOGKFWMYDWO7BNL4BPWKDWQB/ https://www.suse.com/security/cve/CVE-2019-9278.html CVE-2019-9278 https://bugzilla.suse.com/1160770 SUSE Bug 1160770