From 81d2c76e0d25e98f2d275466fc872c23a410c973 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Fri, 12 Nov 2021 10:28:24 +0100 Subject: [PATCH] Exiv2 0.27.5 Resolves: bz#2018421 Fix stack exhaustion issue in the printIFDStructure function leading to DoS Resolves: bz#2003670 --- .gitignore | 1 + exiv2-CVE-2021-37618.patch | 67 ------------------------- exiv2-CVE-2021-37619.patch | 100 ------------------------------------- exiv2.spec | 20 ++++---- sources | 4 +- 5 files changed, 11 insertions(+), 181 deletions(-) delete mode 100644 exiv2-CVE-2021-37618.patch delete mode 100644 exiv2-CVE-2021-37619.patch diff --git a/.gitignore b/.gitignore index c064b31..f5e1b0a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ /exiv2-0.27.4-Source.tar.gz /issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 /issue_ghsa_583f_w9pm_99r2_poc.jp2 +/exiv2-0.27.5-Source.tar.gz diff --git a/exiv2-CVE-2021-37618.patch b/exiv2-CVE-2021-37618.patch deleted file mode 100644 index ac3f866..0000000 --- a/exiv2-CVE-2021-37618.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Mon, 5 Jul 2021 10:39:08 +0100 -Subject: [PATCH 1/2] Regression test for - https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 - ---- - test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 | Bin 0 -> 32768 bytes - .../github/test_issue_ghsa_583f_w9pm_99r2.py | 18 ++++++++++++++++++ - 2 files changed, 18 insertions(+) - create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 - create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py - -diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py -new file mode 100644 -index 000000000..808916aee ---- /dev/null -+++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py -@@ -0,0 +1,18 @@ -+# -*- coding: utf-8 -*- -+ -+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors -+ -+class Jp2ImagePrintStructureICC(metaclass=CaseMeta): -+ """ -+ Regression test for the bug described in: -+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 -+ """ -+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2" -+ -+ filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2") -+ commands = ["$exiv2 -p C $filename"] -+ stdout = [""] -+ stderr = ["""Exiv2 exception in print action for file $filename: -+$kerCorruptedMetadata -+"""] -+ retval = [1] - -From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Mon, 5 Jul 2021 10:40:03 +0100 -Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure - ---- - src/jp2image.cpp | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 3bf356629..2d6dc2118 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) - - if (subBox.type == kJp2BoxTypeColorHeader) { - long pad = 3; // don't know why there are 3 padding bytes -+ enforce(data.size_ >= pad, kerCorruptedMetadata); - if (bPrint) { - out << " | pad:"; - for (int i = 0; i < 3; i++) -@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) - if (bPrint) { - out << " | iccLength:" << iccLength; - } -+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); - if (bICC) { - out.write((const char*)data.pData_ + pad, iccLength); - } diff --git a/exiv2-CVE-2021-37619.patch b/exiv2-CVE-2021-37619.patch deleted file mode 100644 index 0dca35b..0000000 --- a/exiv2-CVE-2021-37619.patch +++ /dev/null @@ -1,100 +0,0 @@ -From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Wed, 30 Jun 2021 16:47:12 +0100 -Subject: [PATCH 1/2] Regression test for - https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v - ---- - test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes - .../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++ - 2 files changed, 18 insertions(+) - create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 - create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py - -diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py -new file mode 100644 -index 0000000000..8f8b6676cf ---- /dev/null -+++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py -@@ -0,0 +1,18 @@ -+# -*- coding: utf-8 -*- -+ -+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors -+@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") -+ -+class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta): -+ """ -+ Regression test for the bug described in: -+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v -+ """ -+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v" -+ -+ filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") -+ commands = ["$exiv2 rm $filename"] -+ stdout = [""] -+ retval = [0] -+ -+ compare_stderr = check_no_ASAN_UBSAN_errors - -From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Wed, 30 Jun 2021 16:47:50 +0100 -Subject: [PATCH 2/2] Fix incorrect loop condition. - ---- - src/jp2image.cpp | 6 ++++-- - .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index b6a388542f..3bf3566294 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) - char* p = (char*) boxBuf.pData_; - bool bWroteColor = false ; - -- while ( count < length || !bWroteColor ) { -+ while ( count < length && !bWroteColor ) { - enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); - Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; - - // copy data. pointer could be into a memory mapped file which we will decode! -- Jp2BoxHeader subBox = *pSubBox ; -+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. -+ Jp2BoxHeader subBox; -+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); - Jp2BoxHeader newBox = subBox; - - if ( count < length ) { -diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -index c98b3815eb..44f6a906cb 100644 ---- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -+++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -@@ -1,7 +1,7 @@ - # -*- coding: utf-8 -*- - --from system_tests import CaseMeta, path -- -+from system_tests import CaseMeta, CopyTmpFiles, path -+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") - - class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): - """ -@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): - """ - url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj" - -- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") -- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") -+ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") -+ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") - commands = ["$exiv2 in $filename1"] - stdout = [""] - stderr = [ - """Error: XMP Toolkit error 201: XML parsing failure - Warning: Failed to decode XMP metadata. --$filename1: Could not write metadata to file: $kerCorruptedMetadata - """] -- retval = [1] -+ retval = [0] diff --git a/exiv2.spec b/exiv2.spec index f88602e..cc70b81 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -3,9 +3,9 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 -Version: 0.27.4 +Version: 0.27.5 %global internal_ver %{version} -Release: 7%{?dist} +Release: 1%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ @@ -15,13 +15,7 @@ Source0: https://github.com/Exiv2/%{name}/archive/v%{version}-%{beta}.tar.gz Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz %endif -# POC files for upstream issues -Source1: issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 -Source2: issue_ghsa_583f_w9pm_99r2_poc.jp2 - ## upstream patches -Patch1: exiv2-CVE-2021-37618.patch -Patch2: exiv2-CVE-2021-37619.patch ## security fixes @@ -78,9 +72,6 @@ BuildArch: noarch %prep %autosetup -n %{name}-%{version}-%{?beta}%{!?beta:Source} -p1 -cp %{SOURCE1} test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 -cp %{SOURCE2} test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 - %build %cmake \ -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \ @@ -133,6 +124,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Fri Nov 12 2021 Jan Grulich - 0.27.5-1 +- Exiv2 0.27.5 + Resolves: bz#2018421 + + Fix stack exhaustion issue in the printIFDStructure function leading to DoS + Resolves: bz#2003670 + * Tue Aug 24 2021 Jan Grulich - 0.27.4-7 - Properly install POC files Resolves: bz#1993247 diff --git a/sources b/sources index c23559e..12c4b37 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -SHA512 (exiv2-0.27.4-Source.tar.gz) = f6798baafb36a54ba5bc65c2d28d4f4469e298582c90b417eb437b5dbda8e11963fb3314e8419717b3815ee8c3a68955cddc79e45351d9f2c165a0b73eb7b7be -SHA512 (issue_ghsa_mxw9_qx4c_6m8v_poc.jp2) = c8de2d85dcaa1c8620fde1007d6a94d5e479d52609f1c4aaca53b32faf9ee92052ea283f69d0b231d37db750214f2d231e5088160dd2b1d27bb4b1b96e154b56 -SHA512 (issue_ghsa_583f_w9pm_99r2_poc.jp2) = 8d42240749514e2c8e9d66f9ba97acfd80e753fd4426da122b2fabe3209b7bf66b1a45c4449089aac2eaf8c93e6db077c51d416f78175dd487b705bf507b2443 +SHA512 (exiv2-0.27.5-Source.tar.gz) = 0f2d2dfbc976052a428dfeb597225d3ea3c725f584d05b99316bd4aa9cbf0ba5e1e37bcde71f9041975cf003b4fdb578c559adb144268d784bfd64494f451491