rpms/exiv2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-26623 exiv2: Use After Free

Browse Source 
Resolves: RHEL-80106
This commit is contained in:
Jan Grulich 2025-02-24 13:50:02 +01:00
parent e3f5775cbb
commit 7997befd2e
6 changed files with 167 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,3 +9,4 @@
/exiv2-0.27.5-Source.tar.gz /exiv2-0.27.5-Source.tar.gz
/exiv2-0.27.6-Source.tar.gz /exiv2-0.27.6-Source.tar.gz
/exiv2-0.28.3.tar.gz /exiv2-0.28.3.tar.gz
/issue_ghsa_38h4_fx85_qcx7_poc.tiff

68
exiv2-CVE-2025-26623-test.patch Normal file
View File

@ -0,0 +1,68 @@
From 630487ffc5feda28aa62dc91eaeae8b0b7507851 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 19 Feb 2025 16:21:06 +0000
Subject: [PATCH] Regression test for
https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
(cherry picked from commit 9f8e1a57b6c6853947360d1187bc24d72056c97a)
---
test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff | Bin 0 -> 603 bytes
.../github/test_issue_ghsa_38h4_fx85_qcx7.py | 22 ++++++++++++++++++
.../test_regression_allfiles.py | 1 +
tests/suite.conf | 1 +
4 files changed, 24 insertions(+)
create mode 100644 test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
create mode 100644 tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
diff --git a/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
new file mode 100644
index 0000000000..07082caf62
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_38h4_fx85_qcx7.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class TiffSubIfd_use_after_free(metaclass=CaseMeta):
+ """
+ Regression test for the bug described in:
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7
+ """
+
+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-38h4-fx85-qcx7"
+
+ filename = path("$data_path/issue_ghsa_38h4_fx85_qcx7_poc.tiff")
+ commands = ["$exiv2 -q fi $filename"]
+ stdout = [""]
+ stderr = [
+ """Exiv2 exception in fixiso action for file $filename:
+$kerImageWriteFailed
+"""
+ ]
+ retval = [1]
diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
index eb7f7cef2d..53e8de44ae 100644
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@@ -120,6 +120,7 @@ def get_valid_files(data_dir):
"issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
"issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
"issue_ghsa_g9xm_7538_mq8w_poc.mov",
+ "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
"pocIssue283.jpg",
"poc_1522.jp2",
"xmpsdk.xmp",
diff --git a/tests/suite.conf b/tests/suite.conf
index c2bf1741e8..249a97fa93 100644
--- a/tests/suite.conf
+++ b/tests/suite.conf
@@ -41,6 +41,7 @@ jpegparsetest: ${ENV:exiv2_path}/jpegparsetest
kerOffsetOutOfRange: Offset out of range
kerFailedToReadImageData: Failed to read image data
kerInputDataReadFailed: Failed to read input data
+kerImageWriteFailed: Failed to write image
kerCorruptedMetadata: corrupted image metadata
kerInvalidMalloc: invalid memory allocation request
kerInvalidTypeValue: invalid type in tiff structure

79
exiv2-CVE-2025-26623.patch Normal file
View File

@ -0,0 +1,79 @@
From facce628f3622764e91a8161f89ade8cb34bc120 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Mon, 17 Feb 2025 16:34:40 -0800
Subject: [PATCH] Revert "fix copy constructors"
This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5.
This commit is wrong and ends up resulting in use after frees because of
C pointers. The proper solution is shared_ptr instead of C pointers but
that's a lot more involved than reverting this.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit ebff8b48820b96c786cfddbf0bebb395cb1317d7)
---
src/tiffcomposite_int.cpp | 19 +++++++++++++++++++
src/tiffcomposite_int.hpp | 6 +++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
index 95ce450c7d..3e6e93d5c5 100644
--- a/src/tiffcomposite_int.cpp
+++ b/src/tiffcomposite_int.cpp
@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) :
storage_(rhs.storage_) {
}
+TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) {
+}
+
+TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) {
+}
+
+TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) :
+ TiffEntryBase(rhs),
+ cfgSelFct_(rhs.cfgSelFct_),
+ arraySet_(rhs.arraySet_),
+ arrayCfg_(rhs.arrayCfg_),
+ arrayDef_(rhs.arrayDef_),
+ defSize_(rhs.defSize_),
+ setSize_(rhs.setSize_),
+ origData_(rhs.origData_),
+ origSize_(rhs.origSize_),
+ pRoot_(rhs.pRoot_) {
+}
+
TiffComponent::UniquePtr TiffComponent::clone() const {
return UniquePtr(doClone());
}
diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp
index 4506a4dca0..307e0bd9e3 100644
--- a/src/tiffcomposite_int.hpp
+++ b/src/tiffcomposite_int.hpp
@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent {
//! @name Protected Creators
//@{
//! Copy constructor (used to implement clone()).
- TiffDirectory(const TiffDirectory&) = default;
+ TiffDirectory(const TiffDirectory& rhs);
//@}
//! @name Protected Manipulators
@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase {
//! @name Protected Creators
//@{
//! Copy constructor (used to implement clone()).
- TiffSubIfd(const TiffSubIfd&) = default;
+ TiffSubIfd(const TiffSubIfd& rhs);
TiffSubIfd& operator=(const TiffSubIfd&) = delete;
//@}
@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase {
//! @name Protected Creators
//@{
//! Copy constructor (used to implement clone()).
- TiffBinaryArray(const TiffBinaryArray&) = default;
+ TiffBinaryArray(const TiffBinaryArray& rhs);
//@}
//! @name Protected Manipulators

13
exiv2-no-rpath.patch
View File

@ -1,13 +0,0 @@
diff --git a/cmake/mainSetup.cmake b/cmake/mainSetup.cmake
index 1ea9deb..36253d1 100644
--- a/cmake/mainSetup.cmake
+++ b/cmake/mainSetup.cmake
@@ -26,8 +26,6 @@ if (UNIX)
if (APPLE)
set(CMAKE_MACOSX_RPATH ON)
set(CMAKE_INSTALL_RPATH "@loader_path")
- else()
- join_paths(CMAKE_INSTALL_RPATH "$ORIGIN" ".." "${CMAKE_INSTALL_LIBDIR}")
endif()
endif()

23
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.28.3 Version: 0.28.3
Release: 3%{?dist} Release: 4%{?dist}
Summary: Exif and Iptc metadata manipulation library Summary: Exif and Iptc metadata manipulation library
# GPL-2.0-or-later: main library # GPL-2.0-or-later: main library
@ -15,12 +15,17 @@ License: GPL-2.0-or-later AND BSD-3-Clause AND LicenseRef-Fedora-Public-D
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
VCS: https://github.com/Exiv2/exiv2/ VCS: https://github.com/Exiv2/exiv2/
%if 0%{?beta:1} %if 0%{?beta:1}
Source: %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz Source0: %{vcs}/archive/v%{version}-%{beta}/%{name}-%{version}-%{beta}.tar.gz
%else %else
Source: %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: %{vcs}/archive/v%{version}/%{name}-%{version}.tar.gz
%endif %endif
Patch0: exiv2-no-rpath.patch # POC files for upstream issues
Source1: issue_ghsa_38h4_fx85_qcx7_poc.tiff
# CVE fixes
Patch50: exiv2-CVE-2025-26623.patch
Patch51: exiv2-CVE-2025-26623-test.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -97,13 +102,16 @@ API documentation for %{name}.
%prep %prep
%autosetup -n %{name}-%{version}%{?beta:-%{beta}} -p1 %autosetup -n %{name}-%{version}%{?beta:-%{beta}} -p1
cp %{SOURCE1} test/data/issue_ghsa_38h4_fx85_qcx7_poc.tiff
%build %build
%cmake \ %cmake \
-DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \ -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \
-DEXIV2_BUILD_DOC:BOOL=ON \ -DEXIV2_BUILD_DOC:BOOL=ON \
-DEXIV2_BUILD_SAMPLES:BOOL=OFF \ -DEXIV2_BUILD_SAMPLES:BOOL=OFF \
-DEXIV2_ENABLE_NLS:BOOL=ON -DEXIV2_ENABLE_NLS:BOOL=ON \
-DCMAKE_SKIP_RPATH:BOOL=OFF
%cmake_build %cmake_build
%cmake_build --target doc %cmake_build --target doc
@ -119,6 +127,7 @@ test "$(pkg-config --modversion exiv2)" = "%{version}"
test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}" test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
test -x %{buildroot}%{_libdir}/libexiv2.so test -x %{buildroot}%{_libdir}/libexiv2.so
%ctest --parallel 1
%files -f exiv2.lang %files -f exiv2.lang
%license COPYING doc/COPYING-XMPSDK %license COPYING doc/COPYING-XMPSDK
@ -145,6 +154,10 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%changelog %changelog
* Mon Feb 24 2025 Jan Grulich <jgrulich@redhat.com> - 0.28.3-4
- Fix CVE-2025-26623 exiv2: Use After Free
Resolves: RHEL-80106
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.28.3-3 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.28.3-3
- Bump release for October 2024 mass rebuild: - Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018 Resolves: RHEL-64018

1
sources
View File

@ -1 +1,2 @@
SHA512 (exiv2-0.28.3.tar.gz) = c8338a118feefa104d73932890c732247c884ab9ce1d170c43a22ab5884517a0e2a7fd1febde7705b8290fbbbc29e64738610404816e4db2b56a70fc444ca049 SHA512 (exiv2-0.28.3.tar.gz) = c8338a118feefa104d73932890c732247c884ab9ce1d170c43a22ab5884517a0e2a7fd1febde7705b8290fbbbc29e64738610404816e4db2b56a70fc444ca049
SHA512 (issue_ghsa_38h4_fx85_qcx7_poc.tiff) = adaa541625873c88d58a5563e3d345f51252bc83ba487f004e54cd327b48fb2258e5d5cf27547f1da426d2b2a9a21d1f7d6378c877ac073477658fc4b300e5b9