Safety Announcement Details

NS-SA-2021-0179

2021-09-24 11:25:36

Introduction

important: libexif/xstream security update

Severity Level

important

Theme

An update for libexif/xstream is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

Description

libexif: API Documentation for programmers wishing to use libexif in their programs.
xstream: XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem.


Security Fix(es):
libexif: A flaw was found in libexif. A possible out of bounds write, due ot an integer overflow, could lead to a remote code execution if a third party app used this library to process remote image data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-0452)
libexif: bugfix
xstream: A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-26217)
xstream: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F12B2.

Impact Components

  • libexif
  • xstream

Impact Product

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

Update Package

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["libexif-doc-0.6.22-2.el7_9.x86_64.rpm","libexif-0.6.22-2.el7_9.x86_64.rpm","libexif-devel-0.6.22-2.el7_9.x86_64.rpm","libexif-debuginfo-0.6.22-2.el7_9.x86_64.rpm"],"source":"libexif-0.6.22-2.el7_9.src.rpm"},{"binary":["xstream-javadoc-1.3.1-12.el7_9.noarch.rpm","xstream-1.3.1-12.el7_9.noarch.rpm"],"source":"xstream-1.3.1-12.el7_9.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["libexif-doc-0.6.22-2.el7_9.x86_64.rpm","libexif-0.6.22-2.el7_9.x86_64.rpm","libexif-devel-0.6.22-2.el7_9.x86_64.rpm","libexif-debuginfo-0.6.22-2.el7_9.x86_64.rpm"],"source":"libexif-0.6.22-2.el7_9.src.rpm"},{"binary":["xstream-javadoc-1.3.1-12.el7_9.noarch.rpm","xstream-1.3.1-12.el7_9.noarch.rpm"],"source":"xstream-1.3.1-12.el7_9.src.rpm"}]}]}
CGSL MAIN 5.05
  • libexif-0.6.22-2.el7_9.src.rpm
    • libexif-doc-0.6.22-2.el7_9.x86_64.rpm
    • libexif-0.6.22-2.el7_9.x86_64.rpm
    • libexif-devel-0.6.22-2.el7_9.x86_64.rpm
    • libexif-debuginfo-0.6.22-2.el7_9.x86_64.rpm
  • xstream-1.3.1-12.el7_9.src.rpm
    • xstream-javadoc-1.3.1-12.el7_9.noarch.rpm
    • xstream-1.3.1-12.el7_9.noarch.rpm
CGSL CORE 5.05
  • libexif-0.6.22-2.el7_9.src.rpm
    • libexif-doc-0.6.22-2.el7_9.x86_64.rpm
    • libexif-0.6.22-2.el7_9.x86_64.rpm
    • libexif-devel-0.6.22-2.el7_9.x86_64.rpm
    • libexif-debuginfo-0.6.22-2.el7_9.x86_64.rpm
  • xstream-1.3.1-12.el7_9.src.rpm
    • xstream-javadoc-1.3.1-12.el7_9.noarch.rpm
    • xstream-1.3.1-12.el7_9.noarch.rpm

CVE

Consult

© 2004-2023 Guangdong ZTE NewStart Technology Co., Ltd Copyright 粤ICP备15061780号-2

Hotline:400-033-0108