Debian 10261 Published by

A libexif security update has been released for Debian GNU/Linux 8 LTS to address two security issues.



DLA 2249-1: libexif security update



Package : libexif
Version : 0.6.21-2+deb8u4
CVE ID : CVE-2020-0182 CVE-2020-0198
Debian Bug : 962345

The following CVE(s) were reported against src:libexif.

CVE-2020-0182

In exif_entry_get_value of exif-entry.c, there is a possible
out of bounds read due to a missing bounds check. This could
lead to local information disclosure with no additional execution
privileges needed. User interaction is not needed for
exploitation.

CVE-2020-0198

In exif_data_load_data_content of exif-data.c, there is a
possible UBSAN abort due to an integer overflow. This could lead
to remote denial of service with no additional execution
privileges needed. User interaction is needed for exploitation.

For Debian 8 "Jessie", these problems have been fixed in version
0.6.21-2+deb8u4.

We recommend that you upgrade your libexif packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS