exif: Denial of Service — GLSA 202210-28

A vulnerability has been discovered in exif which could result in denial of service.

Affected packages

media-gfx/exif on all architectures
Affected versions < 0.6.22
Unaffected versions >= 0.6.22

Background

libexif is a library for parsing, editing and saving Exif metadata from images. exif is a small command line interface for libexif.

Description

There is a bug in exif's XML output format which can result in a null pointer dereference when outputting crafted JPEG EXIF data.

Impact

A crafted JPEG image can trigger a denial of service in the form of a null pointer dereference.

Workaround

There is no known workaround at this time.

Resolution

All exif users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/exif-0.6.22"
 

References

Release date
October 31, 2022

Latest revision
October 31, 2022: 1

Severity
low

Exploitable
remote

Bugzilla entries