Patch for CVE-2020-24890.

This commit is contained in:
Gwyn Ciesla 2020-09-24 08:37:51 -05:00
parent 1d4e620148
commit 4241ce166c
2 changed files with 103 additions and 1 deletions

View File

@ -0,0 +1,97 @@
From 78d323ecbe6a9752aee6e97118a76d40704d73ee Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Thu, 20 Aug 2020 15:24:40 +0300
Subject: [PATCH] Additional checks in hassy model parser
---
src/metadata/hasselblad_model.cpp | 39 ++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/src/metadata/hasselblad_model.cpp b/src/metadata/hasselblad_model.cpp
index 979f56c6..f1cd0d6d 100644
--- a/src/metadata/hasselblad_model.cpp
+++ b/src/metadata/hasselblad_model.cpp
@@ -93,7 +93,7 @@ static const char *Hasselblad_SensorEnclosures[] = {
int norm_model_isSet = 0;
if (model[0] == ' ')
- memmove(model, model+1, strlen(model));
+ memmove(model, model+1, MIN(sizeof(model)-1,strlen(model)));
if (!imHassy.format) {
if (dng_version) {
@@ -116,49 +116,62 @@ static const char *Hasselblad_SensorEnclosures[] = {
memmove(imHassy.SensorUnitConnector, imHassy.SensorUnitConnector+11, 64-11);
if (imHassy.format == LIBRAW_HF_AdobeDNG) { // Adobe DNG, use LocalizedCameraModel
+ imgdata.color.LocalizedCameraModel[63] = 0; // make sure 0-termination
if ((ps = strrchr(imgdata.color.LocalizedCameraModel, '-')))
c = ps-imgdata.color.LocalizedCameraModel;
else c = strlen(imgdata.color.LocalizedCameraModel);
- memcpy(tmp_model, imgdata.color.LocalizedCameraModel, c);
- tmp_model[c] = 0;
+ int cc = MIN(c, sizeof(tmp_model)-1);
+ memcpy(tmp_model, imgdata.color.LocalizedCameraModel,cc);
+ tmp_model[cc] = 0;
if (strcasestr(imgdata.color.UniqueCameraModel, "coated")) {
- strcpy(normalized_model, imgdata.color.UniqueCameraModel);
+ strncpy(normalized_model, imgdata.color.UniqueCameraModel,sizeof(imgdata.color.UniqueCameraModel)-1);
+ normalized_model[sizeof(imgdata.color.UniqueCameraModel) - 1] = 0;
norm_model_isSet = 1;
}
if (!strncmp(normalized_model, "Hasselblad ", 11))
memmove(normalized_model, normalized_model+11, 64-11);
- } else
- strcpy(tmp_model, imgdata.color.UniqueCameraModel);
+ }
+ else
+ {
+ strncpy(tmp_model, imgdata.color.UniqueCameraModel, sizeof(imgdata.color.UniqueCameraModel) - 1);
+ tmp_model[63] = 0;
+ }
if (!strncasecmp(tmp_model, "Hasselblad ", 11))
memmove(tmp_model, tmp_model+11, 64-11);
// check if model tag contains manual CaptureSequenceInitiator info:
- strcpy(imHassy.CaptureSequenceInitiator, model);
+ strncpy(imHassy.CaptureSequenceInitiator, model,31);
+ imHassy.CaptureSequenceInitiator[31] = 0;
FORC(int(sizeof Hasselblad_Ctrl / sizeof *Hasselblad_Ctrl)) {
if (strcasestr(model, Hasselblad_Ctrl[c])) {
// yes, fill 'model' with sensor unit data
- strcpy(model, tmp_model);
+ strncpy(model, tmp_model,63);
+ model[63] = 0;
break;
}
}
ps = strchr(model, '-');
if (ps) { // check if model contains both host body and sensor version, resolution, MS info
- strcpy(imHassy.SensorUnit, model);
+ strncpy(imHassy.SensorUnit, model,63);
memcpy(imHassy.HostBody, model, ps-model);
imHassy.HostBody[ps-model] = 0;
if (!strncmp(ps-2, "II-", 3))
ps -=2;
- strcpy(imHassy.Sensor, ps);
+ strncpy(imHassy.Sensor, ps,7);
+ imHassy.Sensor[7] = 0;
add_MP_toName = 0;
} else { // model contains host body only
- strcpy(imHassy.HostBody, model);
+ strncpy(imHassy.HostBody, model,63);
+ imHassy.HostBody[63] = 0;
// fill 'model' with sensor unit data
- strcpy(model, tmp_model);
+ strncpy(model, tmp_model,63);
+ model[63] = 0;
}
if (!strncmp(model, "503CWD", 6)) {
- strcpy(imHassy.HostBody, model);
+ strncpy(imHassy.HostBody, model,63);
+ imHassy.HostBody[63] = 0;
ilm.CameraFormat = LIBRAW_FORMAT_66;
ilm.CameraMount = LIBRAW_MOUNT_Hasselblad_V;
if (model[6] == 'I' && model[7] == 'I')

View File

@ -7,7 +7,7 @@
Summary: Library for reading RAW files obtained from digital photo cameras Summary: Library for reading RAW files obtained from digital photo cameras
Name: LibRaw Name: LibRaw
Version: 0.20.0 Version: 0.20.0
Release: 2%{?dist} Release: 3%{?dist}
License: BSD and (CDDL or LGPLv2) License: BSD and (CDDL or LGPLv2)
URL: http://www.libraw.org URL: http://www.libraw.org
@ -20,6 +20,8 @@ BuildRequires: autoconf automake libtool
#Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz #Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz
Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
Patch0: LibRaw-pkgconfig.patch Patch0: LibRaw-pkgconfig.patch
# For CVE-2020-24890
Patch1: 78d323ecbe6a9752aee6e97118a76d40704d73ee.patch
Provides: bundled(dcraw) = 9.25 Provides: bundled(dcraw) = 9.25
%description %description
@ -114,6 +116,9 @@ rm -fv %{buildroot}%{_libdir}/lib*.la
%changelog %changelog
* Thu Sep 24 2020 Gwyn Ciesla <gwync@protonmail.com> - 0.20.0-3
- Patch for CVE-2020-24890.
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-2 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.20.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild