import exiv2-0.27.4-4.el8

SOURCES/exiv2-CVE-2021-37618.patch

@@ -0,0 +1,29 @@
+From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 5 Jul 2021 10:40:03 +0100
+Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
+
+---
+ src/jp2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 3bf356629..2d6dc2118 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
+
+                             if (subBox.type == kJp2BoxTypeColorHeader) {
+                                 long pad = 3;  // don't know why there are 3 padding bytes
++                                enforce(data.size_ >= pad, kerCorruptedMetadata);
+                                 if (bPrint) {
+                                     out << " | pad:";
+                                     for (int i = 0; i < 3; i++)
+@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
+                                 if (bPrint) {
+                                     out << " | iccLength:" << iccLength;
+                                 }
++                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
+                                 if (bICC) {
+                                     out.write((const char*)data.pData_ + pad, iccLength);
+                                 }

SOURCES/exiv2-CVE-2021-37619.patch

@@ -0,0 +1,62 @@
+From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 30 Jun 2021 16:47:50 +0100
+Subject: [PATCH 2/2] Fix incorrect loop condition.
+
+---
+ src/jp2image.cpp                                      |  6 ++++--
+ .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index b6a388542f..3bf3566294 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m)
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+
+-        while ( count < length || !bWroteColor ) {
++        while ( count < length && !bWroteColor ) {
+             enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-            Jp2BoxHeader   subBox = *pSubBox ;
++            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
++            Jp2BoxHeader   subBox;
++            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
+             Jp2BoxHeader   newBox =  subBox;
+
+             if ( count < length ) {
+diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
+index c98b3815eb..44f6a906cb 100644
+--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
++++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
+@@ -1,7 +1,7 @@
+ # -*- coding: utf-8 -*-
+
+-from system_tests import CaseMeta, path
+-
++from system_tests import CaseMeta, CopyTmpFiles, path
++@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+
+ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
+     """
+@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
+     """
+     url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
+
+-    filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
+-    filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
++    filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
++    filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+     commands = ["$exiv2 in $filename1"]
+     stdout = [""]
+     stderr = [
+ """Error: XMP Toolkit error 201: XML parsing failure
+ Warning: Failed to decode XMP metadata.
+-$filename1: Could not write metadata to file: $kerCorruptedMetadata
+ """]
+-    retval = [1]
++    retval = [0]

SPECS/exiv2.spec

@@ -3,13 +3,15 @@ Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
 Version: 0.27.4
 %global internal_ver %{version}
-Release: 2%{?dist}
+Release: 4%{?dist}
 
 License: GPLv2+
 URL:     http://www.exiv2.org/
 Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
 
 ## upstream patches (lookaside cache)
+Patch1: exiv2-CVE-2021-37618.patch
+Patch2: exiv2-CVE-2021-37619.patch
 
 # Security fixes
 
@@ -119,6 +121,17 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-4
+- Fix test for CVE-2021-29470
+  Resolves: bz#1993245
+
+* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-3
+- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
+  Resolves: bz#1993282
+
+- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
+  Resolves: bz#1993245
+
 * Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-2
 - Do not duplicate changelog file
   Resolves: bz#1989860