Bug Id
6652301

Product
Solaris 10 Operating System

Date of Resolved Release
18-Mar-2008

A Security Vulnerability in Solaris 10 libexif (see below for details):

1. Impact

A security vulnerability in the libexif image processing library shipped with Solaris 10 may allow a remote unprivileged user who provides an image with a crafted EXIF tag to execute arbitrary code with the privileges of a local user who opens that image. Furthermore, a remote user may be able to cause a Denial of Service (DoS) to an application that reads a crafted EXIF image using the libexif library.

This issue may occur with applications linked against the libexif  library  including (but not limited to),  the Eye of Gnome (eog(1)) application, which is distributed as part of the Java Desktop System.

Additional references:

• CVE-2007-6352 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6352
  

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 121095-02

x86 Platform

• Solaris 10 without patch 121096-02

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

To avoid the described issue, do not load  images from untrusted sources using applications which make use of the libexif library.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 121095-02 or later

x86 Platform

• Solaris 10 with patch 121096-02 or later

For more information on Security Sun Alerts, see

 

References

121095-02
121096-02

References

SUNPATCH:121095-02
SUNPATCH:121096-02



Attachments

This solution has no attachment