Note: This is an archival copy of Security Sun Alert 234701 as previously published on
Latest version of this security advisory is available from as Sun Alert 1019093.1.
Article ID : 1019093.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in Solaris 10 libexif May Allow Code Execution or a Denial of Service (DoS) Condition


Release Phase

Bug Id

Solaris 10 Operating System

Date of Resolved Release

A Security Vulnerability in Solaris 10 libexif (see below for details):

1. Impact

A security vulnerability in the libexif image processing library shipped with Solaris 10 may allow a remote unprivileged user who provides an image with a crafted EXIF tag to execute arbitrary code with the privileges of a local user who opens that image. Furthermore, a remote user may be able to cause a Denial of Service (DoS) to an application that reads a crafted EXIF image using the libexif library.

This issue may occur with applications linked against the libexif  library  including (but not limited to),  the Eye of Gnome (eog(1)) application, which is distributed as part of the Java Desktop System.

Additional references:

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 10 without patch 121095-02
x86 Platform
  • Solaris 10 without patch 121096-02
Note: Solaris 8 and Solaris 9 are not impacted by this issue.

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

To avoid the described issue, do not load  images from untrusted sources using applications which make use of the libexif library.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 121095-02 or later
x86 Platform
  • Solaris 10 with patch 121096-02 or later
For more information on Security Sun Alerts, see






This solution has no attachment