cve-2009-3895 cve-2012-2836 libexif

December 30, 2025 • December 27, 2025

$ apt-cache rdepends libexif12
libexif12
Reverse Depends:
  libexif-dev
  feh
  shotwell
  libcupsfilters2t64
  xzgv
  wmaker
  wallch
  timg
  sxiv
  swayimg
  ruby-exif
  ristretto
  qtox
  qiv
  plasma-wallpaper-dynamic
  nsxiv
  nemo
  minidlna
  mediascanner2.0
  lximage-qt
  lomiri-thumbnailer-service
  liquidsoap
  libwxsvg3t64
  libvips42t64
  libthunarx-3-0
  libmlt7
  libmediascan0t64
  libgdiplus
  libfm4t64
  libfm-qt14
  libexif-gtk5
  libexif-gtk3-5
  libcamlimages-ocaml
  gtkam-gimp
  gtkam
  gphoto2
  gmerlin-plugins-base
  gerbera
  frogr
  foxtrotgps
  fim
  feh
  fbi
  exiftran
  exif
  eom
  eog-plugin-map
  eog-plugin-exif-display
  enlightenment
  deepin-image-viewer
  caja
  cairo-dock-slider-plug-in
  tracker-extract
  shotwell
  libgphoto2-6t64
  eog
  libcupsfilters2t64

https://packages.aosc.io/revdep/libexif

https://github.com/libexif/libexif

https://github.com/libexif/exif

sudo apt update
sudo apt install autopoint libtool gettext libpopt-dev

wget https://github.com/libexif/libexif/archive/refs/tags/libexif-0_6_14-release.tar.gz
tar -xzvf libexif-0_6_14-release.tar.gz
cd libexif-libexif-0_6_14-release/
./autogen.sh
CC=afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/cve/CVE-2009-3895-CVE-2012-2836/install/"
make
make install

cd ..
wget https://github.com/libexif/exif/archive/refs/tags/exif-0_6_15-release.tar.gz
tar -xzvf exif-0_6_15-release.tar.gz
cd exif-exif-0_6_15-release/
./autogen.sh
CC=afl-clang-lto ./configure --enable-shared=no --prefix="$HOME/cve/CVE-2009-3895-CVE-2012-2836/install/" PKG_CONFIG_PATH=$HOME/cve/CVE-2009-3895-CVE-2012-2836/install/lib/pkgconfig
make
make install

$ cd ..
$ ./install/bin/exif
Usage: exif [OPTION...] file
  -v, --version                   Display software version
  -i, --ids                       Show IDs instead of tag names
  -t, --tag=tag                   Select tag
      --ifd=IFD                   Select IFD
  -l, --list-tags                 List all EXIF tags
  -|, --show-mnote                Show contents of tag MakerNote
      --remove                    Remove tag or ifd
  -s, --show-description          Show description of tag
  -e, --extract-thumbnail         Extract thumbnail
  -r, --remove-thumbnail          Remove thumbnail
  -n, --insert-thumbnail=FILE     Insert FILE as thumbnail
  -o, --output=FILE               Write data to FILE
      --set-value=STRING          Value
  -m, --machine-readable          Output in a machine-readable (tab delimited) format
  -x, --xml-output                Output in a XML format
  -d, --debug                     Show debugging messages

Help options:
  -?, --help                      Show this help message
      --usage                     Display brief usage message

wget https://github.com/ianare/exif-samples/archive/refs/heads/master.zip
apt install unzip
unzip master.zip

$ ./install/bin/exif ./exif-samples-master/jpg/Panasonic_DMC-FZ30.jpg
EXIF tags in './exif-samples-master/jpg/Panasonic_DMC-FZ30.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Manufacturer        |Panasonic
Model               |DMC-FZ30
Orientation         |top - left
...
...
Sharpness           |Normal
InteroperabilityInde|R98
InteroperabilityVers|0100
--------------------+----------------------------------------------------------
EXIF data contains a thumbnail (1607 bytes).

$ afl-cmin -i ./exif-samples-master/jpg/ -o ./seeds -- ./install/bin/exif @@
Hint: install python module "tqdm" to show progress bar
2025-12-28 14:57:32,714 - INFO - use 1 workers (-T)
2025-12-28 14:57:32,715 - INFO - Found 96 input files in 1 directories
2025-12-28 14:57:32,767 - INFO - Remain 96 files after dedup
2025-12-28 14:57:32,767 - INFO - Sorting files.
2025-12-28 14:57:32,773 - INFO - Setting AFL_MAP_SIZE=3177
2025-12-28 14:57:32,773 - INFO - Testing the target binary
2025-12-28 14:57:32,779 - INFO - ok, 16 tuples recorded
2025-12-28 14:57:32,781 - INFO - Processing traces
2025-12-28 14:57:32,879 - INFO - Obtaining trace results
2025-12-28 14:57:32,881 - INFO - Found 1083 unique tuples across 96 files (54 effective)
2025-12-28 14:57:32,882 - INFO - Processing candidates and writing output
2025-12-28 14:57:32,885 - INFO - narrowed down to 39 files, saved in "./seeds"
2025-12-28 14:57:32,886 - INFO - Deleting trace files

afl-fuzz -i ./seeds/ -o ./outputs -- ./install/bin/exif @@

$ casr-afl -i ./outputs/default/ -o ./casr_reports -- ./install/bin/exif @@
14:33:00 [INFO] Analyzing 21 files...
14:33:00 [INFO] Generating CASR reports...
14:33:00 [INFO] Using 4 threads
14:33:01 [INFO] Progress: 4/21
14:33:02 [INFO] Progress: 8/21
14:33:03 [INFO] Progress: 12/21
14:33:04 [INFO] Progress: 16/21
14:33:05 [INFO] Deduplicating CASR reports...
14:33:05 [INFO] Number of reports before deduplication: 21. Number of reports after deduplication: 10
14:33:05 [INFO] Clustering CASR reports...
14:33:05 [INFO] Number of clusters: 5
==> <cl1>
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl1/id:000001,sig:11,src:000000,time:3751,execs:6304,op:flip32,pos:29424
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/exif-data.c:292
  Similar crashes: 1
Cluster summary -> SourceAv: 1
==> <cl2>
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl2/id:000002,sig:11,src:000000,time:8934,execs:15365,op:int32,pos:16,val:-1
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/exif-utils.c:94
  Similar crashes: 1
Cluster summary -> SourceAv: 1
==> <cl3>
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl3/id:000012,sig:11,src:000450,time:539294,execs:913911,op:havoc,rep:15
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/exif-data.c:292
  Similar crashes: 2
Cluster summary -> SourceAv: 2
==> <cl4>
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl4/id:000015,sig:11,src:000644,time:984996,execs:1616170,op:havoc,rep:1
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/exif-data.c:292
  Similar crashes: 4
Cluster summary -> SourceAv: 4
==> <cl5>
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl5/id:000009,sig:11,src:000020,time:123789,execs:216184,op:flip32,pos:781
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/canon/exif-mnote-data-canon.c:224
  Similar crashes: 1
Crash: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/casr_reports/cl5/id:000000,sig:11,src:000000,time:1275,execs:2220,op:inf,pos:0
  gdb.casrep: NOT_EXPLOITABLE: SourceAv: /home/ngtuonghung/cve/CVE-2009-3895-CVE-2012-2836/libexif-libexif-0_6_14-release/libexif/olympus/exif-mnote-data-olympus.c:357
  Similar crashes: 1
Cluster summary -> SourceAv: 2
SUMMARY -> SourceAv: 10

⚠️ Draft: The post is still being written...

Reproducing and Patching CVE-2019-13288 - XPDF Infinite recursion & Null pointer dereference