CVE-2019-9278 — libexif - security update

Description

In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774

How to fix CVE-2019-9278

To remediate CVE-2019-9278, upgrade the affected package to a fixed version below.

—upgrade to 0.6.22-r0 or later
—upgrade to 0.6.21-6 or later
—upgrade to 0.6.21-2+deb8u1 or later
—upgrade to 0.6.21-2+deb9u1 or later

Is CVE-2019-9278 being exploited?

Low — EPSS is 3.7%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 0.6.22-r0
from 0, < 0.6.21-6
from 0, < 0.6.21-2+deb8u1
from 0, < 0.6.21-2+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-9278
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-9278