rpms/exiv2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import exiv2-0.27.4-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-08-24 22:26:58 +00:00 committed by Andrew Lukoshko
parent 22b96ae00b
commit 2c9057068d
3 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
SOURCES/exiv2-CVE-2021-37618.patch Normal file
View File

@ -0,0 +1,29 @@
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Jul 2021 10:40:03 +0100
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
---
src/jp2image.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 3bf356629..2d6dc2118 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
if (subBox.type == kJp2BoxTypeColorHeader) {
long pad = 3; // don't know why there are 3 padding bytes
+ enforce(data.size_ >= pad, kerCorruptedMetadata);
if (bPrint) {
out << " | pad:";
for (int i = 0; i < 3; i++)
@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
if (bPrint) {
out << " | iccLength:" << iccLength;
}
+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
if (bICC) {
out.write((const char*)data.pData_ + pad, iccLength);
}

62
SOURCES/exiv2-CVE-2021-37619.patch Normal file
View File

@ -0,0 +1,62 @@
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.
---
src/jp2image.cpp | 6 ++++--
.../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index b6a388542f..3bf3566294 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m)
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
- while ( count < length || !bWroteColor ) {
+ while ( count < length && !bWroteColor ) {
enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
- Jp2BoxHeader subBox = *pSubBox ;
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
Jp2BoxHeader newBox = subBox;
if ( count < length ) {
diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
index c98b3815eb..44f6a906cb 100644
--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
+++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
-from system_tests import CaseMeta, path
-
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
+ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
commands = ["$exiv2 in $filename1"]
stdout = [""]
stderr = [
"""Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
-$filename1: Could not write metadata to file: $kerCorruptedMetadata
"""]
- retval = [1]
+ retval = [0]

15
SPECS/exiv2.spec
View File

@ -3,13 +3,15 @@ Summary: Exif and Iptc metadata manipulation library
Name: exiv2 Name: exiv2
Version: 0.27.4 Version: 0.27.4
%global internal_ver %{version} %global internal_ver %{version}
Release: 2%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
## upstream patches (lookaside cache) ## upstream patches (lookaside cache)
Patch1: exiv2-CVE-2021-37618.patch
Patch2: exiv2-CVE-2021-37619.patch
# Security fixes # Security fixes
@ -119,6 +121,17 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%changelog %changelog
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-4
- Fix test for CVE-2021-29470
Resolves: bz#1993245
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-3
- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
Resolves: bz#1993282
- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
Resolves: bz#1993245
* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-2 * Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-2
- Do not duplicate changelog file - Do not duplicate changelog file
Resolves: bz#1989860 Resolves: bz#1989860