Lucene search

K
slackwareSlackware Linux ProjectSSA-2020-140-02
HistoryMay 19, 2020 - 8:20 p.m.

[slackware-security] libexif

2020-05-1920:20:39
Slackware Linux Project
www.slackware.com
17

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.01 Low

EPSS

Percentile

82.9%

New libexif packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:

patches/packages/libexif-0.6.22-i486-1_slack14.2.txz: Upgraded.
This update fixes bugs and security issues:
CVE-2018-20030: Fix for recursion DoS
CVE-2020-13114: Time consumption DoS when parsing canon array markers
CVE-2020-13113: Potential use of uninitialized memory
CVE-2020-13112: Various buffer overread fixes due to integer overflows
in maker notes
CVE-2020-0093: read overflow
CVE-2019-9278: replaced integer overflow checks the compiler could
optimize away by safer constructs
CVE-2020-12767: fixed division by zero
CVE-2016-6328: fixed integer overflow when parsing maker notes
CVE-2017-7544: fixed buffer overread
For more information, see:
https://vulners.com/cve/CVE-2018-20030
https://vulners.com/cve/CVE-2020-13114
https://vulners.com/cve/CVE-2020-13113
https://vulners.com/cve/CVE-2020-13112
https://vulners.com/cve/CVE-2020-0093
https://vulners.com/cve/CVE-2019-9278
https://vulners.com/cve/CVE-2020-12767
https://vulners.com/cve/CVE-2016-6328
https://vulners.com/cve/CVE-2017-7544
(* Security fix *)

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the “Get Slack” section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libexif-0.6.22-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libexif-0.6.22-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libexif-0.6.22-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libexif-0.6.22-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libexif-0.6.22-i486-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libexif-0.6.22-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libexif-0.6.22-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libexif-0.6.22-x86_64-1.txz

MD5 signatures:

Slackware 14.0 package:
2825fe83815e20b929a0985865fbf127 libexif-0.6.22-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
b14ccbf85d034fd0a92daea836a9557c libexif-0.6.22-x86_64-1_slack14.0.txz

Slackware 14.1 package:
3b2d8dff6959aa467313b9377f3ac073 libexif-0.6.22-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
f32b37e892990abef160b9399ec5e909 libexif-0.6.22-x86_64-1_slack14.1.txz

Slackware 14.2 package:
90e72524f13208223b7183a9b2d68d92 libexif-0.6.22-i486-1_slack14.2.txz

Slackware x86_64 14.2 package:
665307c2d16876490afb23e38aa436aa libexif-0.6.22-x86_64-1_slack14.2.txz

Slackware -current package:
9c6c7ac8ca4e0889d60eab857c2135cf l/libexif-0.6.22-i586-1.txz

Slackware x86_64 -current package:
37623fa8c756f7320c9d566cf3ccc932 l/libexif-0.6.22-x86_64-1.txz

Installation instructions:

Upgrade the package as root:
> upgradepkg libexif-0.6.22-i486-1_slack14.2.txz

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.01 Low

EPSS

Percentile

82.9%