rpms
/
compat-exiv2-026
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c8-beta/compat-exiv2-026-0.26-3.el8
Branches Tags
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c8/compat-exiv2-026-0.26-7.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-7.el8
rpms:imports/c8/compat-exiv2-026-0.26-6.el8
rpms:imports/c8s/compat-exiv2-026-0.26-7.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-6.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-3.el8
rpms:imports/c8s/compat-exiv2-026-0.26-6.el8
rpms:imports/c8s/compat-exiv2-026-0.26-5.el8
rpms:imports/c8s/compat-exiv2-026-0.26-3.el8
rpms:imports/c8/compat-exiv2-026-0.26-4.el8_4
rpms:imports/c8/compat-exiv2-026-0.26-3.el8
...
compare: rpms:c8
Branches Tags
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c8/compat-exiv2-026-0.26-7.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-7.el8
rpms:imports/c8/compat-exiv2-026-0.26-6.el8
rpms:imports/c8s/compat-exiv2-026-0.26-7.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-6.el8
rpms:imports/c8-beta/compat-exiv2-026-0.26-3.el8
rpms:imports/c8s/compat-exiv2-026-0.26-6.el8
rpms:imports/c8s/compat-exiv2-026-0.26-5.el8
rpms:imports/c8s/compat-exiv2-026-0.26-3.el8
rpms:imports/c8/compat-exiv2-026-0.26-4.el8_4
rpms:imports/c8/compat-exiv2-026-0.26-3.el8

No commits in common. "imports/c8-beta/compat-exiv2-026-0.26-3.el8" and "c8" have entirely different histories.
imports/c8 ... c8

6 changed files with 423 additions and 1 deletions
Show Stats Expand all files Collapse all files

280
SOURCES/exiv2-CVE-2020-18898.patch Normal file
View File

@ -0,0 +1,280 @@
diff --git a/src/exiv2.cpp b/src/exiv2.cpp
index dbd2834..75c6fc2 100644
--- a/src/exiv2.cpp
+++ b/src/exiv2.cpp
@@ -593,41 +593,79 @@ int Params::evalPrint(const std::string& optarg)
{
int rc = 0;
switch (action_) {
- case Action::none:
- switch (optarg[0]) {
- case 's': action_ = Action::print; printMode_ = pmSummary; break;
- case 'a': rc = evalPrintFlags("kyct"); break;
- case 'e': rc = evalPrintFlags("Ekycv"); break;
- case 't': rc = evalPrintFlags("Ekyct"); break;
- case 'v': rc = evalPrintFlags("Exgnycv"); break;
- case 'h': rc = evalPrintFlags("Exgnycsh"); break;
- case 'i': rc = evalPrintFlags("Ikyct"); break;
- case 'x': rc = evalPrintFlags("Xkyct"); break;
- case 'c': action_ = Action::print; printMode_ = pmComment ; break;
- case 'p': action_ = Action::print; printMode_ = pmPreview ; break;
- case 'C': action_ = Action::print; printMode_ = pmIccProfile ; break;
- case 'R': action_ = Action::print; printMode_ = pmRecursive ; break;
- case 'S': action_ = Action::print; printMode_ = pmStructure ; break;
- case 'X': action_ = Action::print; printMode_ = pmXMP ; break;
+ case Action::none:
+ switch (optarg[0]) {
+ case 's':
+ action_ = Action::print;
+ printMode_ = pmSummary;
+ break;
+ case 'a':
+ rc = evalPrintFlags("kyct");
+ break;
+ case 'e':
+ rc = evalPrintFlags("Ekycv");
+ break;
+ case 't':
+ rc = evalPrintFlags("Ekyct");
+ break;
+ case 'v':
+ rc = evalPrintFlags("Exgnycv");
+ break;
+ case 'h':
+ rc = evalPrintFlags("Exgnycsh");
+ break;
+ case 'i':
+ rc = evalPrintFlags("Ikyct");
+ break;
+ case 'x':
+ rc = evalPrintFlags("Xkyct");
+ break;
+ case 'c':
+ action_ = Action::print;
+ printMode_ = pmComment;
+ break;
+ case 'p':
+ action_ = Action::print;
+ printMode_ = pmPreview;
+ break;
+ case 'C':
+ action_ = Action::print;
+ printMode_ = pmIccProfile;
+ break;
+ case 'R':
+ #ifdef NDEBUG
+ std::cerr << progname() << ": " << _("Action not available in Release mode")
+ << ": '" << optarg << "'\n";
+ rc = 1;
+ #else
+ action_ = Action::print;
+ printMode_ = pmRecursive;
+ #endif
+ break;
+ case 'S':
+ action_ = Action::print;
+ printMode_ = pmStructure;
+ break;
+ case 'X':
+ action_ = Action::print;
+ printMode_ = pmXMP;
+ break;
+ default:
+ std::cerr << progname() << ": " << _("Unrecognized print mode") << " `" << optarg << "'\n";
+ rc = 1;
+ break;
+ }
+ break;
+ case Action::print:
+ std::cerr << progname() << ": " << _("Ignoring surplus option -p") << optarg << "\n";
+ break;
default:
- std::cerr << progname() << ": " << _("Unrecognized print mode") << " `"
- << optarg << "'\n";
+ std::cerr << progname() << ": " << _("Option -p is not compatible with a previous option\n");
rc = 1;
break;
- }
- break;
- case Action::print:
- std::cerr << progname() << ": "
- << _("Ignoring surplus option -p") << optarg << "\n";
- break;
- default:
- std::cerr << progname() << ": "
- << _("Option -p is not compatible with a previous option\n");
- rc = 1;
- break;
}
return rc;
-} // Params::evalPrint
+} // Params::evalPrint
int Params::evalPrintFlags(const std::string& optarg)
{
diff --git a/test/data/webp-test.out b/test/data/webp-test.out
index e92a844..eec850d 100644
--- a/test/data/webp-test.out
+++ b/test/data/webp-test.out
@@ -1,149 +1,3 @@
-STRUCTURE OF WEBP FILE: exiv2-bug1199.webp
- Chunk | Length | Offset | Payload
- RIFF | 187526 | 0 | WEBP
- VP8X | 10 | 12 | ,........
- ICCP | 560 | 30 | ...0ADBE....mntrRGB XYZ ........
- VP8 | 172008 | 598 | .G...*.. .>1..B.!..o.. ......]..
- EXIF | 12040 | 172614 | II*........................... .
- XMP | 2864 | 184662 | <?xpacket begin="..." id="W5M0Mp
-STRUCTURE OF WEBP FILE: exiv2-bug1199.webp
- Chunk | Length | Offset | Payload
- RIFF | 187526 | 0 | WEBP
- VP8X | 10 | 12 | ,........
- ICCP | 560 | 30 | ...0ADBE....mntrRGB XYZ ........
- VP8 | 172008 | 598 | .G...*.. .>1..B.!..o.. ......]..
- EXIF | 12040 | 172614 | II*........................... .
- STRUCTURE OF TIFF FILE (II): MemIo
- address | tag | type | count | offset | value
- 10 | 0x0100 ImageWidth | LONG | 1 | 1200 | 1200
- 22 | 0x0101 ImageLength | LONG | 1 | 800 | 800
- 34 | 0x0102 BitsPerSample | SHORT | 3 | 194 | 8 8 8
- 46 | 0x010e ImageDescription | ASCII | 37 | 200 | ...
- 58 | 0x010f Make | ASCII | 18 | 238 | NIKON CORPORATION
- 70 | 0x0110 Model | ASCII | 12 | 256 | NIKON D5300
- 82 | 0x0112 Orientation | SHORT | 1 | 1 | 1
- 94 | 0x011a XResolution | RATIONAL | 1 | 268 | 300/1
- 106 | 0x011b YResolution | RATIONAL | 1 | 276 | 300/1
- 118 | 0x0128 ResolutionUnit | SHORT | 1 | 2 | 2
- 130 | 0x0131 Software | ASCII | 11 | 284 | GIMP 2.9.5
- 142 | 0x0132 DateTime | ASCII | 20 | 296 | 2016:08:13 10:54:16
- 154 | 0x0213 YCbCrPositioning | SHORT | 1 | 1 | 1
- 166 | 0x8769 ExifTag | LONG | 1 | 316 | 316
- STRUCTURE OF TIFF FILE (II): MemIo
- address | tag | type | count | offset | value
- 318 | 0x829a ExposureTime | RATIONAL | 1 | 814 | 10/4000
- 330 | 0x829d FNumber | RATIONAL | 1 | 822 | 100/10
- 342 | 0x8822 ExposureProgram | SHORT | 1 | 0 | 0
- 354 | 0x8827 ISOSpeedRatings | SHORT | 1 | 200 | 200
- 366 | 0x8830 SensitivityType | SHORT | 1 | 2 | 2
- 378 | 0x9000 ExifVersion | UNDEFINED | 4 | 808661552 | 0230
- 390 | 0x9003 DateTimeOriginal | ASCII | 20 | 830 | 2015:07:16 15:38:54
- 402 | 0x9004 DateTimeDigitized | ASCII | 20 | 850 | 2015:07:16 15:38:54
- 414 | 0x9101 ComponentsConfiguration | UNDEFINED | 4 | 197121 | ...
- 426 | 0x9102 CompressedBitsPerPixel | RATIONAL | 1 | 870 | 2/1
- 438 | 0x9204 ExposureBiasValue | SRATIONAL | 1 | 878 | 0/6
- 450 | 0x9205 MaxApertureValue | RATIONAL | 1 | 886 | 43/10
- 462 | 0x9207 MeteringMode | SHORT | 1 | 5 | 5
- 474 | 0x9208 LightSource | SHORT | 1 | 0 | 0
- 486 | 0x9209 Flash | SHORT | 1 | 16 | 16
- 498 | 0x920a FocalLength | RATIONAL | 1 | 894 | 440/10
- 510 | 0x927c MakerNote | UNDEFINED | 3826 | 902 | Nikon.....II*.....9.+...$...... ...
- STRUCTURE OF TIFF FILE (II): MemIo
- address | tag | type | count | offset | value
- 10 | 0x002b | ASCII | 36 | 698 | 48 49 48 48 0 0 2 0 0 0 0 0 0 0 ...
- 22 | 0x002c | ASCII | 1157 | 734 | 48 49 48 49 35 0 128 2 170 1 0 0 ...
- 34 | 0x002d | ASCII | 8 | 1892 | 512 0 0
- 46 | 0x0032 | ASCII | 20 | 1900 | 48 49 48 48 1 0 0 0
- 58 | 0x0035 | ASCII | 16 | 1920 | 48 50 48 48 0 0
- 70 | 0x003b | ASCII | 32 | 1936 | 256/256 256/256 256/256 256/256
- 82 | 0x003c | ASCII | 2 | 49 | 1
- 94 | 0x009d | ASCII | 2 | 48 | 0
- 106 | 0x00a3 | BYTE | 1 | 0 |
- 118 | 0x00b6 | ASCII | 16 | 1968 | 0 0 0 0 0 0 0 0
- 130 | 0x00bb | ASCII | 26 | 1984 | 48 50 48 48 255 255 255 0
- 142 | 0x00bf | ASCII | 2 | 48 | 0
- 154 | 0x00c0 | ASCII | 21 | 2010 | 60 1 12 0 144 1 12 0
- 166 | 0x0022 | SHORT | 1 | 65535 | 65535
- 178 | 0x008a | SHORT | 1 | 1 | 1
- 190 | 0x001e GPSDifferential | SHORT | 1 | 1 | 1
- 202 | 0x001b GPSProcessingMethod | SHORT | 7 | 2032 | 0 6016 4016 6016 4016 ...
- 214 | 0x0019 GPSDestDistanceRef | SRATIONAL | 1 | 2046 | 0/6
- 226 | 0x000e GPSTrackRef | UNDEFINED | 4 | 786688 | ...
- 238 | 0x001c GPSAreaInformation | SHORT | 3 | 2054 | 0 1 6
- 250 | 0x0018 GPSDestBearing | UNDEFINED | 4 | 393472 | ...
- 262 | 0x0012 GPSMapDatum | UNDEFINED | 4 | 393472 | ...
- 274 | 0x0009 GPSStatus | ASCII | 20 | 2060 |
- 286 | 0x0017 GPSDestBearingRef | UNDEFINED | 4 | 393472 | ...
- 298 | 0x00a8 | UNDEFINED | 49 | 2080 | 0106........................... ...
- 310 | 0x0087 | BYTE | 1 | 0 |
- 322 | 0x0008 FlashSetting | ASCII | 13 | 2130 |
- 334 | 0x0007 Focus | ASCII | 7 | 2144 | AF-A
- 346 | 0x00b1 | SHORT | 1 | 4 | 4
- 358 | 0x0013 GPSDestLatitudeRef | SHORT | 2 | 13107200 | 0 200
- 370 | 0x0002 ISOSpeed | SHORT | 2 | 13107200 | 0 200
- 382 | 0x0016 GPSDestLongitude | SHORT | 4 | 2152 | 0 0 6000 4000
- 394 | 0x00a2 | LONG | 1 | 6173648 | 6173648
- 406 | 0x0084 | RATIONAL | 4 | 2160 | 180/10 2500/10 35/10 63/10
- 418 | 0x008b | UNDEFINED | 4 | 786743 | 7..
- 430 | 0x0083 | BYTE | 1 | 14 | .
- 442 | 0x0095 | ASCII | 5 | 2192 | OFF
- 454 | 0x000d GPSSpeed | UNDEFINED | 4 | 393472 | ...
- 466 | 0x0004 Quality | ASCII | 8 | 2198 | NORMAL
- 478 | 0x009e | SHORT | 10 | 2206 | 0 0 0 0 0 ...
- 490 | 0x001d GPSDateStamp | ASCII | 8 | 2226 | 2567806
- 502 | 0x0089 | SHORT | 1 | 0 | 0
- 514 | 0x00a7 | LONG | 1 | 9608 | 9608
- 526 | 0x00ab | ASCII | 16 | 2234 | AUTO(FLASH OFF)
- 538 | 0x0001 Version | UNDEFINED | 4 | 825307696 | 0211
- 550 | 0x000c GPSSpeedRef | RATIONAL | 4 | 2250 | 538/256 354/256 256/256 256/256
- 562 | 0x0005 WhiteBalance | ASCII | 13 | 2282 | AUTO
- 574 | 0x000b ProcessingSoftware | SSHORT | 2 | 0 | 0 0
- 586 | 0x00b7 | UNDEFINED | 30 | 2296 | 0100....i....................
- 598 | 0x0097 | UNDEFINED | 1188 | 2326 | 0219.dU....W..2......:.......F.# ...
- 610 | 0x00b8 | UNDEFINED | 172 | 3514 | 0100..e........................ ...
- 622 | 0x0025 | UNDEFINED | 14 | 3686 | H.....H......
- 634 | 0x0098 | UNDEFINED | 33 | 3700 | 0204.W....z.o..#[.....!o.x..E... ...
- 646 | 0x00b0 | UNDEFINED | 16 | 3734 | 0100...........
- 658 | 0x0023 | UNDEFINED | 58 | 3750 | 0100STANDARD............STANDARD ...
- 670 | 0x001f | UNDEFINED | 8 | 3808 | 0100...
- 682 | 0x0024 | UNDEFINED | 4 | 65536 | ...
- END MemIo
- 522 | 0x9286 UserComment | UNDEFINED | 44 | 4728 | ........ ...
- 534 | 0x9290 SubSecTime | ASCII | 3 | 12336 | 00
- 546 | 0x9291 SubSecTimeOriginal | ASCII | 3 | 12336 | 00
- 558 | 0x9292 SubSecTimeDigitized | ASCII | 3 | 12336 | 00
- 570 | 0xa000 FlashpixVersion | UNDEFINED | 4 | 808464688 | 0100
- 582 | 0xa001 ColorSpace | SHORT | 1 | 1 | 1
- 594 | 0xa002 PixelXDimension | LONG | 1 | 6000 | 6000
- 606 | 0xa003 PixelYDimension | LONG | 1 | 4000 | 4000
- 618 | 0xa217 SensingMethod | SHORT | 1 | 2 | 2
- 630 | 0xa300 FileSource | UNDEFINED | 1 | 3 | .
- 642 | 0xa301 SceneType | UNDEFINED | 1 | 1 | .
- 654 | 0xa302 CFAPattern | UNDEFINED | 8 | 4772 | ........
- 666 | 0xa401 CustomRendered | SHORT | 1 | 0 | 0
- 678 | 0xa402 ExposureMode | SHORT | 1 | 0 | 0
- 690 | 0xa403 WhiteBalance | SHORT | 1 | 0 | 0
- 702 | 0xa404 DigitalZoomRatio | RATIONAL | 1 | 4780 | 1/1
- 714 | 0xa405 FocalLengthIn35mmFilm | SHORT | 1 | 66 | 66
- 726 | 0xa406 SceneCaptureType | SHORT | 1 | 0 | 0
- 738 | 0xa407 GainControl | SHORT | 1 | 0 | 0
- 750 | 0xa408 Contrast | SHORT | 1 | 0 | 0
- 762 | 0xa409 Saturation | SHORT | 1 | 0 | 0
- 774 | 0xa40a Sharpness | SHORT | 1 | 0 | 0
- 786 | 0xa40c SubjectDistanceRange | SHORT | 1 | 0 | 0
- 798 | 0xa420 ImageUniqueID | ASCII | 33 | 4788 | 090caaf2c085f3e102513b24750041aa ...
- END MemIo
- 178 | 0x8825 GPSTag | LONG | 1 | 4822 | 4822
- 5072 | 0x0100 ImageWidth | LONG | 1 | 256 | 256
- 5084 | 0x0101 ImageLength | LONG | 1 | 170 | 170
- 5096 | 0x0102 BitsPerSample | SHORT | 3 | 5172 | 8 8 8
- 5108 | 0x0103 Compression | SHORT | 1 | 6 | 6
- 5120 | 0x0106 PhotometricInterpretation | SHORT | 1 | 6 | 6
- 5132 | 0x0115 SamplesPerPixel | SHORT | 1 | 3 | 3
- 5144 | 0x0201 JPEGInterchangeFormat | LONG | 1 | 5178 | 5178
- 5156 | 0x0202 JPEGInterchangeFormatLeng | LONG | 1 | 6861 | 6861
- END MemIo
- XMP | 2864 | 184662 | <?xpacket begin="..." id="W5M0Mp
<?xml version="1.0"?>
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">
diff --git a/test/webp-test.sh b/test/webp-test.sh
index 04ffe19..9c53293 100755
--- a/test/webp-test.sh
+++ b/test/webp-test.sh
@@ -14,7 +14,6 @@ source ./functions.source
copyTestFile $filename
runTest exiv2 -pS $filename
- runTest exiv2 -pR $filename
runTest exiv2 -pX $filename | xmllint --format -
printf "delete " >&3
# test deleting metadata

26
SOURCES/exiv2-CVE-2021-31291.patch Normal file
View File

@ -0,0 +1,26 @@
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529
---
src/jp2image.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 1892fd4..01a21f2 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -737,9 +737,10 @@ namespace Exiv2
#endif
box.length = io_->size() - io_->tell() + 8;
}
- if (box.length == 1)
+ if (box.length < 8)
{
- // FIXME. Special case. the real box size is given in another place.
+ // box is broken, so there is nothing we can do here
+ throw Error(kerCorruptedMetadata);
}
// Read whole box : Box header + Box data (not fixed size - can be null).

26
SOURCES/exiv2-CVE-2021-31292.patch Normal file
View File

@ -0,0 +1,26 @@
From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 9 Apr 2021 13:37:48 +0100
Subject: [PATCH] Fix integer overflow.
---
src/crwimage.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index ca79aa7..cd6200c 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -1326,7 +1326,11 @@ namespace Exiv2 {
pCrwMapping->crwDir_);
if (edX != edEnd || edY != edEnd || edO != edEnd) {
uint32_t size = 28;
- if (cc && cc->size() > size) size = cc->size();
+ if (cc) {
+ if (cc->size() < size)
+ throw Error(kerCorruptedMetadata);
+ size = cc->size();
+ }
DataBuf buf(size);
std::memset(buf.pData_, 0x0, buf.size_);
if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);

37
SOURCES/exiv2-CVE-2021-37618.patch Normal file
View File

@ -0,0 +1,37 @@
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Jul 2021 10:40:03 +0100
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
---
src/jp2image.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 43c93d7..a8c37e8 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -42,6 +42,7 @@ EXIV2_RCSID("@(#) $Id$")
#include "futils.hpp"
#include "types.hpp"
#include "safe_op.hpp"
+#include "enforce.hpp"
// + standard includes
#include <string>
@@ -511,6 +512,7 @@ namespace Exiv2
if(subBox.type == kJp2BoxTypeColorHeader)
{
long pad = 3 ; // don't know why there are 3 padding bytes
+ enforce(data.size_ >= pad, kerCorruptedMetadata);
if ( bPrint ) {
out << " | pad:" ;
for ( int i = 0 ; i < 3 ; i++ ) out<< " " << (int) data.pData_[i];
@@ -521,6 +523,7 @@ namespace Exiv2
}
DataBuf icc(iccLength);
+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
if ( bICC ) out.write((const char*)icc.pData_,icc.size_);
}
lf(out,bLF);

30
SOURCES/exiv2-CVE-2021-37619.patch Normal file
View File

@ -0,0 +1,30 @@
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.
---
src/jp2image.cpp | 6 ++++--
.../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 2cd0a89..58ad5c6 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -619,11 +619,13 @@ namespace Exiv2
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
- while ( count < length || !bWroteColor ) {
+ while ( count < length && !bWroteColor ) {
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
- Jp2BoxHeader subBox = *pSubBox ;
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
Jp2BoxHeader newBox = subBox;
if ( count < length ) {

25
SPECS/compat-exiv2-026.spec
View File

@ -1,6 +1,6 @@
Name: compat-exiv2-026
Version: 0.26
Release: 3%{?dist}
Release: 7%{?dist}
Summary: Compatibility package with the exiv2 library in version 0.26
License: GPLv2+
@ -32,6 +32,11 @@ Patch24: exiv2-CVE-2018-5772.patch
Patch25: exiv2-CVE-2018-8976.patch
Patch26: exiv2-CVE-2018-8977.patch
Patch27: exiv2-CVE-2018-16336.patch
Patch28: exiv2-CVE-2021-31291.patch
Patch29: exiv2-CVE-2021-31292.patch
Patch30: exiv2-CVE-2021-37618.patch
Patch31: exiv2-CVE-2021-37619.patch
Patch32: exiv2-CVE-2020-18898.patch
## upstreamable patches
@ -96,6 +101,24 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so
%changelog
* Wed Oct 13 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-7
- Fix stack exhaustion issue in the printIFDStructure function
Resolves: bz#2003669
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-6
- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
Resolves: bz#1993283
- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
Resolves: bz#1993246
* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-4
- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
Resolves: bz#1990398
- Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS
Resolves: bz#1990399
* Thu Nov 21 2019 Jan Grulich <jgrulich@redhat.com> - 0.26-3
- Remove pre-built msvc binaries
Resolves: bz#1757349