import compat-exiv2-026-0.26-6.el8

2021-11-09 04:51:00 -05:00 · 2021-11-09 04:51:00 -05:00 · fc1547d365
parent c1d97dd7f3
commit fc1547d365
4 changed files with 109 additions and 3 deletions
--- a/SOURCES/exiv2-CVE-2021-31292.patch
+++ b/SOURCES/exiv2-CVE-2021-31292.patch
@ -0,0 +1,26 @@
+From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 9 Apr 2021 13:37:48 +0100
+Subject: [PATCH] Fix integer overflow.
+
+---
+ src/crwimage.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/crwimage.cpp b/src/crwimage.cpp
+index ca79aa7..cd6200c 100644
+--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
+@@ -1326,7 +1326,11 @@ namespace Exiv2 {
+                                                  pCrwMapping->crwDir_);
+         if (edX != edEnd || edY != edEnd || edO != edEnd) {
+             uint32_t size = 28;
+-            if (cc && cc->size() > size) size = cc->size();
+            if (cc) {
+              if (cc->size() < size)
+                throw Error(kerCorruptedMetadata);
+              size = cc->size();
+            }
+             DataBuf buf(size);
+             std::memset(buf.pData_, 0x0, buf.size_);
+             if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
--- a/SOURCES/exiv2-CVE-2021-37618.patch
+++ b/SOURCES/exiv2-CVE-2021-37618.patch
@ -0,0 +1,37 @@
+From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 5 Jul 2021 10:40:03 +0100
+Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
+
+---
+ src/jp2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 43c93d7..a8c37e8 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -42,6 +42,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "futils.hpp"
+ #include "types.hpp"
+ #include "safe_op.hpp"
+#include "enforce.hpp"
+
+ // + standard includes
+ #include <string>
+@@ -511,6 +512,7 @@ namespace Exiv2
+                             if(subBox.type == kJp2BoxTypeColorHeader)
+                             {
+                                 long pad = 3 ; // don't know why there are 3 padding bytes
+                                enforce(data.size_ >= pad, kerCorruptedMetadata);
+                                 if ( bPrint ) {
+                                     out << " | pad:" ;
+                                     for ( int i = 0 ; i < 3 ; i++ ) out<< " " << (int) data.pData_[i];
+@@ -521,6 +523,7 @@ namespace Exiv2
+                                 }
+
+                                 DataBuf icc(iccLength);
+                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
+                                 if ( bICC ) out.write((const char*)icc.pData_,icc.size_);
+                             }
+                             lf(out,bLF);
--- a/SOURCES/exiv2-CVE-2021-37619.patch
+++ b/SOURCES/exiv2-CVE-2021-37619.patch
@ -0,0 +1,30 @@
+From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 30 Jun 2021 16:47:50 +0100
+Subject: [PATCH 2/2] Fix incorrect loop condition.
+
+---
+ src/jp2image.cpp                                      |  6 ++++--
+ .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 2cd0a89..58ad5c6 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -619,11 +619,13 @@ namespace Exiv2
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+
+-        while ( count < length || !bWroteColor ) {
+        while ( count < length && !bWroteColor ) {
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-            Jp2BoxHeader   subBox = *pSubBox ;
+            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+            Jp2BoxHeader   subBox;
+            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
+             Jp2BoxHeader   newBox =  subBox;
+
+             if ( count < length ) {
--- a/SPECS/compat-exiv2-026.spec
+++ b/SPECS/compat-exiv2-026.spec
@ -1,6 +1,6 @@
 Name:    compat-exiv2-026
 Version: 0.26
-Release: 4%{?dist}
+Release: 6%{?dist}
 Summary: Compatibility package with the exiv2 library in version 0.26

 License: GPLv2+
@ -33,6 +33,9 @@ Patch25: exiv2-CVE-2018-8976.patch
 Patch26: exiv2-CVE-2018-8977.patch
 Patch27: exiv2-CVE-2018-16336.patch
 Patch28: exiv2-CVE-2021-31291.patch
+Patch29: exiv2-CVE-2021-31292.patch
+Patch30: exiv2-CVE-2021-37618.patch
+Patch31: exiv2-CVE-2021-37619.patch

 ## upstreamable patches

@ -97,9 +100,19 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so


 %changelog
-* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-11
+* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-6
+- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
+  Resolves: bz#1993283
+
+- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
+  Resolves: bz#1993246
+
+* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-4
 - Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
-  Resolves: bz#1990397
+  Resolves: bz#1990398
+
+- Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS
+  Resolves: bz#1990399

 * Thu Nov 21 2019 Jan Grulich <jgrulich@redhat.com> - 0.26-3
 - Remove pre-built msvc binaries