Note: This is an archival copy of Security Sun Alert 234701 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019093.1.
Solaris 10 Operating System
Date of Resolved Release
A Security Vulnerability in Solaris 10 libexif (see below for details):
1. ImpactA security vulnerability in the libexif image processing library shipped with Solaris 10 may allow a remote unprivileged user who provides an image with a crafted EXIF tag to execute arbitrary code with the privileges of a local user who opens that image. Furthermore, a remote user may be able to cause a Denial of Service (DoS) to an application that reads a crafted EXIF image using the libexif library.
This issue may occur with applications linked against the libexif library including (but not limited to), the Eye of Gnome (eog(1)) application, which is distributed as part of the Java Desktop System.
2. Contributing FactorsThis issue can occur in the following releases:
3. SymptomsThere are no predictable symptoms that would indicate the described issue has been exploited.
4. WorkaroundTo avoid the described issue, do not load images from untrusted sources using applications which make use of the libexif library.
5. ResolutionThis issue is addressed in the following releases:
This solution has no attachment