libexif lets in malicious code
Security service provider iDefense has reported a security vulnerability in the libexif open-source library which could allow attackers to inject and execute arbitrary code using manipulated images. libexif is used in numerous graphics programs, desktops including KDE and Gnome, and some software for Web- Photo galleries.
Digital cameras often store preview images and information about shutter speeds and other camera settings in the Exif headers of photos. When processing images with too many entries in the Exif header, an integer overflow can occur in the exif_data_load_data_entry() function of libexif, resulting in a buffer overflow.
According to iDefense, the error affects libexif 0.6.13 to 0.6.15. The library developers have provided Version 0.6.16 for download, which no longer contains the error. Numerous Linux distributors are also distributing updated packages which users should import quickly.
- Multiple Vendor libexif Integer Overflow Heap Corruption Vulnerability, security report from iDefense
- Download of libexif-0.6.16 source packet