Fix CVE-2025-26623 exiv2: Use After Free

Resolves: RHEL-80106
2025-02-24 13:50:02 +01:00 · 2025-02-24 13:50:02 +01:00 · 7997befd2e
commit 7997befd2e
parent e3f5775cbb
6 changed files with 167 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,4 @@
 /exiv2-0.27.5-Source.tar.gz
 /exiv2-0.27.6-Source.tar.gz
 /exiv2-0.28.3.tar.gz
+/issue_ghsa_38h4_fx85_qcx7_poc.tiff
--- a/exiv2-CVE-2025-26623-test.patch
+++ b/exiv2-CVE-2025-26623-test.patch
@ -0,0 +1,68 @@
+From 630487ffc5feda28aa62dc91eaeae8b0b7507851 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 19 Feb 2025 16:21:06 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
+
+(cherry picked from commit 9f8e1a57b6c6853947360d1187bc24d72056c97a)
+---
+ test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff  | Bin 0 -> 603 bytes
+ .../github/test_issue_ghsa_38h4_fx85_qcx7.py  |  22 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ tests/suite.conf                              |   1 +
+ 4 files changed, 24 insertions(+)
+ create mode 100644 test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+new file mode 100644
+index 0000000000..07082caf62
+--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
+@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class TiffSubIfd_use_after_free(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
+    """
+
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7"
+
+    filename = path("$data_path/issue_ghsa_38h4_fx85_qcx7_poc.tiff")
+    commands = ["$exiv2 -q fi $filename"]
+    stdout = [""]
+    stderr = [
+        """Exiv2 exception in fixiso action for file $filename:
+$kerImageWriteFailed
+"""
+    ]
+    retval = [1]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index eb7f7cef2d..53e8de44ae 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -120,6 +120,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
+         "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
+        "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
+diff --git a/tests/suite.conf b/tests/suite.conf
+index c2bf1741e8..249a97fa93 100644
+--- a/tests/suite.conf
+++ b/tests/suite.conf
+@@ -41,6 +41,7 @@ jpegparsetest: ${ENV:exiv2_path}/jpegparsetest
+ kerOffsetOutOfRange: Offset out of range
+ kerFailedToReadImageData: Failed to read image data
+ kerInputDataReadFailed: Failed to read input data
+kerImageWriteFailed: Failed to write image
+ kerCorruptedMetadata: corrupted image metadata
+ kerInvalidMalloc: invalid memory allocation request
+ kerInvalidTypeValue: invalid type in tiff structure
--- a/exiv2-CVE-2025-26623.patch
+++ b/exiv2-CVE-2025-26623.patch
@ -0,0 +1,79 @@
+From facce628f3622764e91a8161f89ade8cb34bc120 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Mon, 17 Feb 2025 16:34:40 -0800
+Subject: [PATCH] Revert "fix copy constructors"
+
+This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
+
+This commit is wrong and ends up resulting in use after frees because of
+C pointers. The proper solution is shared_ptr instead of C pointers but
+that's a lot more involved than reverting this.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+(cherry picked from commit ebff8b48820b96c786cfddbf0bebb395cb1317d7)
+---
+ src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
+ src/tiffcomposite_int.hpp |  6 +++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index 95ce450c7d..3e6e93d5c5 100644
+--- a/src/tiffcomposite_int.cpp
+++ b/src/tiffcomposite_int.cpp
+@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
+     storage_(rhs.storage_) {
+ }
+ 
+TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
+}
+
+TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
+}
+
+TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
+    TiffEntryBase(rhs),
+    cfgSelFct_(rhs.cfgSelFct_),
+    arraySet_(rhs.arraySet_),
+    arrayCfg_(rhs.arrayCfg_),
+    arrayDef_(rhs.arrayDef_),
+    defSize_(rhs.defSize_),
+    setSize_(rhs.setSize_),
+    origData_(rhs.origData_),
+    origSize_(rhs.origSize_),
+    pRoot_(rhs.pRoot_) {
+}
+
+ TiffComponent::UniquePtr TiffComponent::clone() const {
+   return UniquePtr(doClone());
+ }
+diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
+index 4506a4dca0..307e0bd9e3 100644
+--- a/src/tiffcomposite_int.hpp
+++ b/src/tiffcomposite_int.hpp
+@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffDirectory(const TiffDirectory&) = default;
+  TiffDirectory(const TiffDirectory& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
+@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffSubIfd(const TiffSubIfd&) = default;
+  TiffSubIfd(const TiffSubIfd& rhs);
+   TiffSubIfd& operator=(const TiffSubIfd&) = delete;
+   //@}
+ 
+@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
+   //! @name Protected Creators
+   //@{
+   //! Copy constructor (used to implement clone()).
+-  TiffBinaryArray(const TiffBinaryArray&) = default;
+  TiffBinaryArray(const TiffBinaryArray& rhs);
+   //@}
+ 
+   //! @name Protected Manipulators
--- a/exiv2-no-rpath.patch
+++ b/exiv2-no-rpath.patch
@ -1,13 +0,0 @@
-diff --git a/cmake/mainSetup.cmake b/cmake/mainSetup.cmake
-index 1ea9deb..36253d1 100644
--- a/cmake/mainSetup.cmake
-+++ b/cmake/mainSetup.cmake
-@@ -26,8 +26,6 @@ if (UNIX)
-     if (APPLE)
-         set(CMAKE_MACOSX_RPATH ON)
-         set(CMAKE_INSTALL_RPATH "@loader_path")
-    else()
-        join_paths(CMAKE_INSTALL_RPATH "$ORIGIN" ".." "${CMAKE_INSTALL_LIBDIR}")
-     endif()
- endif()
- 
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:           exiv2
 Version:        0.28.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Exif and Iptc metadata manipulation library

 # GPL-2.0-or-later: main library
@ -15,12 +15,17 @@ License:        GPL-2.0-or-later AND BSD-3-Clause AND LicenseRef-Fedora-Public-D
 URL:            http://www.exiv2.org/
 VCS:            https://github.com/Exiv2/exiv2/
 %if 0%{?beta:1}
-Source:         %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz
+Source0:        %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz
 %else
-Source:         %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:        %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz
 %endif

-Patch0:         exiv2-no-rpath.patch
+# POC files for upstream issues
+Source1:        issue_ghsa_38h4_fx85_qcx7_poc.tiff
+
+# CVE fixes
+Patch50:        exiv2-CVE-2025-26623.patch
+Patch51:        exiv2-CVE-2025-26623-test.patch

 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@ -97,13 +102,16 @@ API documentation for %{name}.
 %prep
 %autosetup -n %{name}-%{version}%{?beta:-%{beta}} -p1

+cp %{SOURCE1} test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff

 %build
 %cmake \
  -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \
  -DEXIV2_BUILD_DOC:BOOL=ON \
  -DEXIV2_BUILD_SAMPLES:BOOL=OFF \
-  -DEXIV2_ENABLE_NLS:BOOL=ON
+  -DEXIV2_ENABLE_NLS:BOOL=ON \
+  -DCMAKE_SKIP_RPATH:BOOL=OFF
+
 %cmake_build
 %cmake_build --target doc

@ -119,6 +127,7 @@ test "$(pkg-config --modversion exiv2)" = "%{version}"
 test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
 test -x %{buildroot}%{_libdir}/libexiv2.so

+%ctest --parallel 1

 %files -f exiv2.lang
 %license COPYING doc/COPYING-XMPSDK
@ -145,6 +154,10 @@ test -x %{buildroot}%{_libdir}/libexiv2.so


 %changelog
+* Mon Feb 24 2025 Jan Grulich <jgrulich@redhat.com> - 0.28.3-4
+- Fix CVE-2025-26623 exiv2: Use After Free
+  Resolves: RHEL-80106
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.28.3-3
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (exiv2-0.28.3.tar.gz) = c8338a118feefa104d73932890c732247c884ab9ce1d170c43a22ab5884517a0e2a7fd1febde7705b8290fbbbc29e64738610404816e4db2b56a70fc444ca049
+SHA512 (issue_ghsa_38h4_fx85_qcx7_poc.tiff) = adaa541625873c88d58a5563e3d345f51252bc83ba487f004e54cd327b48fb2258e5d5cf27547f1da426d2b2a9a21d1f7d6378c877ac073477658fc4b300e5b9