CVE-2017-7544

Ubuntu Security Notice USN-4277-1

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which can cause denial-of-service or possibly information disclosure.

libexif hasta la versión 0.6.21 es vulnerable a una lectura de la memoria dinámica (heap) fuera de límites en la función exif_data_save_data_entry en libexif/exif-data.c. Esto se debe al cálculo incorrecto de la longitud de los datos asignados de una entrada ExifMnote que podrían provocar una denegación de servicio o, posiblemente, una divulgación de información.

Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. Lili Xu and Bingchang Liu discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-05 CVE Reserved
2017-09-21 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-04-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/05/msg00016.html	Mailing List

URL	Date	SRC
https://sourceforge.net/p/libexif/bugs/130	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html	2020-06-11
https://usn.ubuntu.com/4277-1	2020-06-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libexif Project Search vendor "Libexif Project"		Libexif Search vendor "Libexif Project" for product "Libexif"				<= 0.6.21 Search vendor "Libexif Project" for product "Libexif" and version " <= 0.6.21"		-		Affected