{"id":"CVE-2020-13112","details":"An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.","aliases":["A-194342672","ASB-A-194342672"],"modified":"2026-04-16T00:05:03.678668867Z","published":"2020-05-21T16:15:10.867Z","related":["SUSE-SU-2020:1534-1","SUSE-SU-2020:1553-1","SUSE-SU-2020:1553-2","openSUSE-SU-2020:0793-1","openSUSE-SU-2024:10939-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"12.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*"},{"extracted_events":[{"last_affected":"14.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"},{"extracted_events":[{"last_affected":"16.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"},{"extracted_events":[{"last_affected":"18.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"19.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"20.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-05"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4396-1/"},{"type":"FIX","url":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libexif/libexif","events":[{"introduced":"0"},{"fixed":"3cc7842ca200a4da4bd65850e3c20d5a1811afa7"},{"fixed":"435e21f05001fb03f9f186fa7cbc69454afd00d1"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.6.22"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:libexif_project:libexif:*:*:*:*:*:*:*:*"}}],"versions":["cvs-migration","libexif-0_5_7-rc2","libexif-0_5_7-rc3","libexif-0_5_7-rc4","libexif-0_5_7-release","libexif-0_5_9-release","libexif-0_6_12-release","libexif-0_6_14-release","libexif-0_6_15-release","libexif-0_6_16-release","libexif-0_6_17-release","libexif-0_6_18-release","libexif-0_6_19-release","libexif-0_6_20-release","libexif-0_6_21-release","libexif-before-0_6_0-api-change"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13112.json","vanir_signatures":[{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-1f0b6412","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"libexif/pentax/exif-mnote-data-pentax.c"},"digest":{"line_hashes":["67992316777328202553980430044272331270","232550279310151884703013089340447102658","262436377453016637111844930069636124266","330076833017829254660096767153562663059","228662460307024714608934979598524022781","233676342583969049750620450728947013967","160686445356664800807236764665764019330","154921360113025583163959014935285786330","229994903253438464991697503678377727877","275315361253278129193099917602521068866","304848201401731473370420849461607645697","69681233052220359974246983910946828230","329721097948751380813217950720224206016","249747458773296643272793894562528613180","16243798146026572846220843309356160713","164072094161247012763677138634413304489","105483538392136473165128370458666347432","206969502877073191430784891318810175061","28868556028154082651229560412125977965"],"threshold":0.9}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-2c45cb53","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"libexif/canon/exif-mnote-data-canon.c"},"digest":{"line_hashes":["183661055639346139562865211106879471593","102180397425500091626994875092804653997","306305871760784389225367867808059433294","303255437467966467341393093297170437848","100948656951186216070801422017812816676","73432668262711205432098364026531541312","267961534160633078526824789703397165948","154921360113025583163959014935285786330","103248917384609285893761502457655296973","22227807076449600468076546494790266074","193000294359280234636191826172030860032","88845552691393415932615695681994998508","184149275761824461580457056613687778179","40444631565845192778785848625597607555","157113014476111942554117727043326998952","176117644035555751522229401211926605647","263132597833869344788571920226587275969","42658674550384883182946853197281633468","33198140988457916349558889987929538988","112671455866612657294225999046785040953","75308504808077224835780035377193872907","148817980664338714766037931751369169901"],"threshold":0.9}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-30a2e5cc","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"libexif/fuji/exif-mnote-data-fuji.c"},"digest":{"line_hashes":["91768807785251968606655776771787404175","34128777807662979432063334523332355086","122684923369204591401773385474411219437","306501088345474863721586112929833381110","138851954609533570359062211287425004272","1936258232986127287851615607716904335","53254384811274092521536811663461829923","305083593056247587556077756653645362624","19208761416751210466370906286318838835","251599490399381872736538431677863863879","247226864292509684740302401359787767559","287947585148421249845200903856289510669","104253677331884237553937680473303634630","131253004424668098972405393941221762040","332928245879175964489794819146672288298","154921360113025583163959014935285786330","229994903253438464991697503678377727877","106720485668533517217715668095921258485","131450083276499232150020930332149982750","163570383433052667235952779228527056161","44006543196768161952519086084373760910","15994231627680740085484671932692890255","197911634203420330037577726332330554142","194890962513460607422706959778358943056","313155748930828196394430449175341864996","23478694786261685262689945243584631558","1618213517171275702668445605136425663"],"threshold":0.9}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-5ead74b6","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"exif_mnote_data_olympus_load","file":"libexif/olympus/exif-mnote-data-olympus.c"},"digest":{"function_hash":"55949762195733080323341990356846721351","length":6011}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-81b80aa7","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"exif_mnote_data_canon_load","file":"libexif/canon/exif-mnote-data-canon.c"},"digest":{"function_hash":"72818263087279984346187142549446253523","length":2396}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-95964281","target":{"file":"libexif/olympus/exif-mnote-data-olympus.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["258535496758549796525577034021958697522","59736004700112239815348148878440973207","156015236527021583219511368386532566842","208925529009590714242737344820623926710","48666843725151391636436753403927499968","240018877582134170072901602787940449497","213651751248844444609361278218619392192","161449136370583283527198612585547913368","290559282883468675134013108171214909360","147474528890062733927576834142739063216","264739365555415385503399378779555237016","271376794645886992757590256004031107931","54938726496285719623762975160898876854","17970311093682324014554973538210305570","98402954308037296842595951412212103213","338367017957438403399591092303558428499","21616384379039474647905404541779968469","240983110241008204587683960473455952697","300382965223174925975307352434426334743","188422837286098323284111960324460508945","144254756210762447390137419065902126524","43833660071409727621081211170277356266","129968889050604978613839631187151974605","116747509092517018688199909938715976133","288949564732672714059697529825343483626","314788910212899863640686260426888679038","157532589449493052524821219631199914886","45393122599490990728121242797044305316","39540614766808889591457708870210383263","21089699327839949456483140375456845158","301458848095656617000108631530238790419","323453559867362649834545384425527187279","75772798565266786018311198559361232120","186253402370051844648021984182755247832","177768108317455400588934416141028632759"],"threshold":0.9}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-dd6811d3","target":{"function":"exif_mnote_data_pentax_load","file":"libexif/pentax/exif-mnote-data-pentax.c"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"312918665237201480084073533825807408190","length":3268}},{"source":"https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1","id":"CVE-2020-13112-f053eccf","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"function":"exif_mnote_data_fuji_load","file":"libexif/fuji/exif-mnote-data-fuji.c"},"digest":{"function_hash":"312289911135611097116278230982177365056","length":2612}}],"vanir_signatures_modified":"2026-04-11T22:57:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}