rpms/compat-exiv2-026
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import compat-exiv2-026-0.26-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-06 05:07:34 -04:00 committed by Stepan Oksanichenko
parent 5b24c27ba2
commit 0d503e7822
5 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/exiv2-CVE-2021-31291.patch Normal file
View File

@ -0,0 +1,26 @@
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529
---
src/jp2image.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 1892fd4..01a21f2 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -737,9 +737,10 @@ namespace Exiv2
#endif
box.length = io_->size() - io_->tell() + 8;
}
- if (box.length == 1)
+ if (box.length < 8)
{
- // FIXME. Special case. the real box size is given in another place.
+ // box is broken, so there is nothing we can do here
+ throw Error(kerCorruptedMetadata);
}
// Read whole box : Box header + Box data (not fixed size - can be null).

26
SOURCES/exiv2-CVE-2021-31292.patch Normal file
View File

@ -0,0 +1,26 @@
From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 9 Apr 2021 13:37:48 +0100
Subject: [PATCH] Fix integer overflow.
---
src/crwimage.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index ca79aa7..cd6200c 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -1326,7 +1326,11 @@ namespace Exiv2 {
pCrwMapping->crwDir_);
if (edX != edEnd || edY != edEnd || edO != edEnd) {
uint32_t size = 28;
- if (cc && cc->size() > size) size = cc->size();
+ if (cc) {
+ if (cc->size() < size)
+ throw Error(kerCorruptedMetadata);
+ size = cc->size();
+ }
DataBuf buf(size);
std::memset(buf.pData_, 0x0, buf.size_);
if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);

37
SOURCES/exiv2-CVE-2021-37618.patch Normal file
View File

@ -0,0 +1,37 @@
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Jul 2021 10:40:03 +0100
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
---
src/jp2image.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 43c93d7..a8c37e8 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -42,6 +42,7 @@ EXIV2_RCSID("@(#) $Id$")
#include "futils.hpp"
#include "types.hpp"
#include "safe_op.hpp"
+#include "enforce.hpp"
// + standard includes
#include <string>
@@ -511,6 +512,7 @@ namespace Exiv2
if(subBox.type == kJp2BoxTypeColorHeader)
{
long pad = 3 ; // don't know why there are 3 padding bytes
+ enforce(data.size_ >= pad, kerCorruptedMetadata);
if ( bPrint ) {
out << " | pad:" ;
for ( int i = 0 ; i < 3 ; i++ ) out<< " " << (int) data.pData_[i];
@@ -521,6 +523,7 @@ namespace Exiv2
}
DataBuf icc(iccLength);
+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
if ( bICC ) out.write((const char*)icc.pData_,icc.size_);
}
lf(out,bLF);

30
SOURCES/exiv2-CVE-2021-37619.patch Normal file
View File

@ -0,0 +1,30 @@
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.
---
src/jp2image.cpp | 6 ++++--
.../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 2cd0a89..58ad5c6 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -619,11 +619,13 @@ namespace Exiv2
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
- while ( count < length || !bWroteColor ) {
+ while ( count < length && !bWroteColor ) {
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
- Jp2BoxHeader subBox = *pSubBox ;
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
Jp2BoxHeader newBox = subBox;
if ( count < length ) {

20
SPECS/compat-exiv2-026.spec
View File

@ -1,6 +1,6 @@
Name: compat-exiv2-026 Name: compat-exiv2-026
Version: 0.26 Version: 0.26
Release: 3%{?dist} Release: 6%{?dist}
Summary: Compatibility package with the exiv2 library in version 0.26 Summary: Compatibility package with the exiv2 library in version 0.26
License: GPLv2+ License: GPLv2+
@ -32,6 +32,10 @@ Patch24: exiv2-CVE-2018-5772.patch
Patch25: exiv2-CVE-2018-8976.patch Patch25: exiv2-CVE-2018-8976.patch
Patch26: exiv2-CVE-2018-8977.patch Patch26: exiv2-CVE-2018-8977.patch
Patch27: exiv2-CVE-2018-16336.patch Patch27: exiv2-CVE-2018-16336.patch
Patch28: exiv2-CVE-2021-31291.patch
Patch29: exiv2-CVE-2021-31292.patch
Patch30: exiv2-CVE-2021-37618.patch
Patch31: exiv2-CVE-2021-37619.patch
## upstreamable patches ## upstreamable patches
@ -96,6 +100,20 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so
%changelog %changelog
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-6
- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
Resolves: bz#1993283
- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
Resolves: bz#1993246
* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-4
- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
Resolves: bz#1990398
- Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS
Resolves: bz#1990399
* Thu Nov 21 2019 Jan Grulich <jgrulich@redhat.com> - 0.26-3 * Thu Nov 21 2019 Jan Grulich <jgrulich@redhat.com> - 0.26-3
- Remove pre-built msvc binaries - Remove pre-built msvc binaries
Resolves: bz#1757349 Resolves: bz#1757349