PublicDateAtUSN: 2019-09-27 19:15:00 UTC
Candidate: CVE-2019-9278
PublicDate: 2019-09-27 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
 https://www.openwall.com/lists/oss-security/2019/11/07/1
 https://ubuntu.com/security/notices/USN-4277-1
Description:
 In libexif, there is a possible out of bounds write due to an integer
 overflow. This could lead to remote escalation of privilege in the media
 content provider with no additional execution privileges needed. User
 interaction is needed for exploitation. Product: AndroidVersions:
 Android-10Android ID: A-112537774
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://github.com/libexif/libexif/issues/26
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_libexif:
 vendor: https://android.googlesource.com/platform/external/libexif/+/a5e8e5812a11ec9686294de8a5d68aaf2ab72475
 upstream: https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566
upstream_libexif: needs-triage
precise/esm_libexif: released (0.6.20-2ubuntu0.2)
trusty_libexif: ignored (out of standard support)
trusty/esm_libexif: released (0.6.21-1ubuntu1+esm1)
xenial_libexif: released (0.6.21-2ubuntu0.1)
esm-infra/xenial_libexif: released (0.6.21-2ubuntu0.1)
bionic_libexif: released (0.6.21-4ubuntu0.1)
disco_libexif: ignored (reached end-of-life)
eoan_libexif: released (0.6.21-5.1ubuntu0.1)
devel_libexif: not-affected (0.6.21-6)