From 3c72a01f6bbc3ad8ae7bba987bfe33750d1b5f15 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Wed, 18 Aug 2021 08:46:09 +0200 Subject: [PATCH] Fix out-of-bounds read in Exiv2::Jp2Image::printStructure Resolves: bz#1993247 Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header Resolves: bz#1993284 --- exiv2-CVE-2021-37618.patch | 29 +++++++++++++++++++++++++++++ exiv2-CVE-2021-37619.patch | 31 +++++++++++++++++++++++++++++++ exiv2.spec | 11 ++++++++++- 3 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 exiv2-CVE-2021-37618.patch create mode 100644 exiv2-CVE-2021-37619.patch diff --git a/exiv2-CVE-2021-37618.patch b/exiv2-CVE-2021-37618.patch new file mode 100644 index 0000000..b658a39 --- /dev/null +++ b/exiv2-CVE-2021-37618.patch @@ -0,0 +1,29 @@ +From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:40:03 +0100 +Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure + +--- + src/jp2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 3bf356629..2d6dc2118 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) + + if (subBox.type == kJp2BoxTypeColorHeader) { + long pad = 3; // don't know why there are 3 padding bytes ++ enforce(data.size_ >= pad, kerCorruptedMetadata); + if (bPrint) { + out << " | pad:"; + for (int i = 0; i < 3; i++) +@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) + if (bPrint) { + out << " | iccLength:" << iccLength; + } ++ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); + if (bICC) { + out.write((const char*)data.pData_ + pad, iccLength); + } diff --git a/exiv2-CVE-2021-37619.patch b/exiv2-CVE-2021-37619.patch new file mode 100644 index 0000000..4f8145a --- /dev/null +++ b/exiv2-CVE-2021-37619.patch @@ -0,0 +1,31 @@ +From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 16:47:50 +0100 +Subject: [PATCH 2/2] Fix incorrect loop condition. + +--- + src/jp2image.cpp | 6 ++++-- + .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b6a388542f..3bf3566294 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { diff --git a/exiv2.spec b/exiv2.spec index 156e48a..acfb197 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -5,7 +5,7 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 Version: 0.27.4 %global internal_ver %{version} -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ @@ -16,6 +16,8 @@ Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz %endif ## upstream patches +Patch1: exiv2-CVE-2021-37618.patch +Patch2: exiv2-CVE-2021-37619.patch ## security fixes @@ -126,6 +128,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Wed Aug 18 2021 Jan Grulich - 0.27.4-4 +- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure + Resolves: bz#1993247 + +- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header + Resolves: bz#1993284 + * Mon Aug 09 2021 Mohan Boddu - 0.27.4-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688