Vulnerability Description
In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | 10.0 | |
| Opensuse | Leap | 15.1 |
| Fedoraproject | Fedora | 31 |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 12.04 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.htmlMailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/10/25/17Mailing List
- http://www.openwall.com/lists/oss-security/2019/10/27/1Mailing List
- http://www.openwall.com/lists/oss-security/2019/11/07/1Mailing List
- https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d05PatchThird Party Advisory
- https://github.com/libexif/libexif/issues/26Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00007.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://seclists.org/bugtraq/2020/Feb/9Mailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202007-05Third Party Advisory
- https://source.android.com/security/bulletin/android-10Vendor Advisory
- https://usn.ubuntu.com/4277-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4618Third Party Advisory
FAQ
What is CVE-2019-9278?
CVE-2019-9278 is a vulnerability with a CVSS score of 8.8 (HIGH). In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges ...
How severe is CVE-2019-9278?
CVE-2019-9278 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9278?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android, Opensuse Leap, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux.