import exiv2-0.27.4-5.el8

2021-10-05 12:51:37 -04:00 · 2021-10-05 12:51:37 -04:00 · af6885347e
commit af6885347e
parent f364596076
6 changed files with 241 additions and 29 deletions
--- a/.exiv2.metadata
+++ b/.exiv2.metadata
@ -1 +1,3 @@
-5f1b460b10171c3b12cd540d699e9b815f6f3058 SOURCES/exiv2-0.27.3.tar.gz
+ed620c568463179aca7847bee5fda40c11c08318 SOURCES/exiv2-0.27.4-Source.tar.gz
 8bfcbc41598e9377d5938fbc75d63db3e6bd9bc9 SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2
 af7e1607f84dc143f09efaced2d6e05064238d4f SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,3 @@
-SOURCES/exiv2-0.27.3.tar.gz
+SOURCES/exiv2-0.27.4-Source.tar.gz
 SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2
 SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
--- a/SOURCES/exiv2-0.27.3-fcf-protection.patch
+++ b/SOURCES/exiv2-0.27.3-fcf-protection.patch
@ -1,12 +0,0 @@
 diff -up exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection exiv2-0.27.3-Source/cmake/compilerFlags.cmake
 --- exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection	2020-06-30 08:33:22.000000000 -0500
 +++ exiv2-0.27.3-Source/cmake/compilerFlags.cmake	2020-06-30 18:03:38.197967648 -0500
@@ -26,7 +26,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Li
         # This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0
         if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) )
             if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0)
 -                add_compile_options(-fstack-clash-protection -fcf-protection)
 +                add_compile_options(-fstack-clash-protection)
             endif()
             if( (COMPILER_IS_GCC   AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8
--- a/SOURCES/exiv2-CVE-2021-37618.patch
+++ b/SOURCES/exiv2-CVE-2021-37618.patch
@ -0,0 +1,67 @@
 From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kevinbackhouse@github.com>
 Date: Mon, 5 Jul 2021 10:39:08 +0100
 Subject: [PATCH 1/2] Regression test for
 https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
 ---
 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2   | Bin 0 -> 32768 bytes
 .../github/test_issue_ghsa_583f_w9pm_99r2.py  |  18 ++++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2
 create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
 diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
 new file mode 100644
 index 000000000..808916aee
 --- /dev/null
 +++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
@@ -0,0 +1,18 @@
 +# -*- coding: utf-8 -*-
 +
 +from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors
 +
 +class Jp2ImagePrintStructureICC(metaclass=CaseMeta):
 +    """
 +    Regression test for the bug described in:
 +    https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
 +    """
 +    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2"
 +
 +    filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2")
 +    commands = ["$exiv2 -p C $filename"]
 +    stdout = [""]
 +    stderr = ["""Exiv2 exception in print action for file $filename:
 +$kerCorruptedMetadata
 +"""]
 +    retval = [1]
 From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kevinbackhouse@github.com>
 Date: Mon, 5 Jul 2021 10:40:03 +0100
 Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
 ---
 src/jp2image.cpp | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/jp2image.cpp b/src/jp2image.cpp
 index 3bf356629..2d6dc2118 100644
 --- a/src/jp2image.cpp
 +++ b/src/jp2image.cpp
@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
                             if (subBox.type == kJp2BoxTypeColorHeader) {
                                 long pad = 3;  // don't know why there are 3 padding bytes
 +                                enforce(data.size_ >= pad, kerCorruptedMetadata);
                                 if (bPrint) {
                                     out << " | pad:";
                                     for (int i = 0; i < 3; i++)
@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
                                 if (bPrint) {
                                     out << " | iccLength:" << iccLength;
                                 }
 +                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
                                 if (bICC) {
                                     out.write((const char*)data.pData_ + pad, iccLength);
                                 }
--- a/SOURCES/exiv2-CVE-2021-37619.patch
+++ b/SOURCES/exiv2-CVE-2021-37619.patch
@ -0,0 +1,100 @@
 From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kevinbackhouse@github.com>
 Date: Wed, 30 Jun 2021 16:47:12 +0100
 Subject: [PATCH 1/2] Regression test for
 https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
 ---
 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2   | Bin 0 -> 1692 bytes
 .../github/test_issue_ghsa_mxw9_qx4c_6m8v.py  |  18 ++++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
 create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
 diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
 new file mode 100644
 index 0000000000..8f8b6676cf
 --- /dev/null
 +++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
@@ -0,0 +1,18 @@
 +# -*- coding: utf-8 -*-
 +
 +from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
 +@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
 +
 +class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta):
 +    """
 +    Regression test for the bug described in:
 +    https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
 +    """
 +    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v"
 +
 +    filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
 +    commands = ["$exiv2 rm $filename"]
 +    stdout = [""]
 +    retval = [0]
 +
 +    compare_stderr = check_no_ASAN_UBSAN_errors
 From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kevinbackhouse@github.com>
 Date: Wed, 30 Jun 2021 16:47:50 +0100
 Subject: [PATCH 2/2] Fix incorrect loop condition.
 ---
 src/jp2image.cpp                                      |  6 ++++--
 .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
 2 files changed, 9 insertions(+), 8 deletions(-)
 diff --git a/src/jp2image.cpp b/src/jp2image.cpp
 index b6a388542f..3bf3566294 100644
 --- a/src/jp2image.cpp
 +++ b/src/jp2image.cpp
@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m)
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;
 -        while ( count < length || !bWroteColor ) {
 +        while ( count < length && !bWroteColor ) {
             enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
             // copy data.  pointer could be into a memory mapped file which we will decode!
 -            Jp2BoxHeader   subBox = *pSubBox ;
 +            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
 +            Jp2BoxHeader   subBox;
 +            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
             Jp2BoxHeader   newBox =  subBox;
             if ( count < length ) {
 diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
 index c98b3815eb..44f6a906cb 100644
 --- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
 +++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 -from system_tests import CaseMeta, path
 -
 +from system_tests import CaseMeta, CopyTmpFiles, path
 +@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
 class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
     """
@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
     """
     url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
 -    filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
 -    filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
 +    filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
 +    filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
     commands = ["$exiv2 in $filename1"]
     stdout = [""]
     stderr = [
 """Error: XMP Toolkit error 201: XML parsing failure
 Warning: Failed to decode XMP metadata.
 -$filename1: Could not write metadata to file: $kerCorruptedMetadata
 """]
 -    retval = [1]
 +    retval = [0]
--- a/SPECS/exiv2.spec
+++ b/SPECS/exiv2.spec
@ -1,27 +1,31 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
-Version: 0.27.3
+Version: 0.27.4
-Release: 2%{?dist}
+%global internal_ver %{version}
 Release: 5%{?dist}
 License: GPLv2+
 URL:     http://www.exiv2.org/
-Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz
+Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
 # POC files for upstream issues
 Source1: issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
 Source2: issue_ghsa_583f_w9pm_99r2_poc.jp2
 ## upstream patches (lookaside cache)
 Patch1: exiv2-CVE-2021-37618.patch
 Patch2: exiv2-CVE-2021-37619.patch
 # Security fixes
 ## upstreamable patches
 # don't unconditionally use -fcf-protection flag, not supported on all archs
 # fedora already includes this on archs that do support it
 Patch100: exiv2-0.27.3-fcf-protection.patch
 BuildRequires: cmake
 BuildRequires: expat-devel
 BuildRequires: gcc-c++
 BuildRequires: gettext
 BuildRequires: pkgconfig
 BuildRequires: pkgconfig(libcurl)
 BuildRequires: pkgconfig(libssh)
 BuildRequires: zlib-devel
 # docs
 BuildRequires: doxygen graphviz libxslt
@ -67,8 +71,10 @@ BuildArch: noarch
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -n %{name}-%{version}-Source -p1
 cp %{SOURCE1} test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
 cp %{SOURCE2} test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2
 %build
 %{cmake} . \
@ -85,13 +91,10 @@ make install/fast DESTDIR=%{buildroot}
 %find_lang exiv2 --with-man
 ## unpackaged files
 rm -fv %{buildroot}%{_libdir}/libexiv2.la
 #rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm
 %check
 export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}"
-test "$(pkg-config --modversion exiv2)" = "0.27.3"
+test "$(pkg-config --modversion exiv2)" = "%{internal_ver}"
 test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
 test -x %{buildroot}%{_libdir}/libexiv2.so
@ -108,13 +111,14 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %files libs
 %{_libdir}/libexiv2.so.27*
-%{_libdir}/libexiv2.so.0.27.3
+%{_libdir}/libexiv2.so.%{internal_ver}
 %files devel
 %{_includedir}/exiv2/
 %{_libdir}/libexiv2.so
 %{_libdir}/pkgconfig/exiv2.pc
 %{_libdir}/cmake/exiv2/
 # todo: -static subpkg?  -- rex
 %{_libdir}/libexiv2-xmp.a
 %files doc
@ -123,6 +127,55 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %changelog
 * Tue Aug 24 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-5
 - Include missing tests for CVEs
  Resolves: bz#1993282
  Resolves: bz#1993245
 * Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-4
 - Fix test for CVE-2021-29470
  Resolves: bz#1993245
 * Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-3
 - Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
  Resolves: bz#1993282
 - Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
  Resolves: bz#1993245
 * Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-2
 - Do not duplicate changelog file
  Resolves: bz#1989860
 * Wed Aug 04 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-1
 - 0.27.4
  Resolves: bz#1989860
 * Tue May 25 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-6
 - CVE-2021-29623 exiv2: a read of uninitialized memory may lead to information leak
  Resolves: bz#1964182
 - CVE-2021-32617 exiv2: DoS due to quadratic complexity in ProcessUTF8Portion
  Resolves: bz#1964188
 * Thu Apr 29 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-5
 - CVE-2021-29473 exiv2: out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata
  Resolves: bz#1954065
 - CVE-2021-29470 exiv2: out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
  Resolves: bz#1955014
 * Wed Apr 28 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-4
 - CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode
  Resolves: bz#1953758
 - CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
  Resolves: bz#1953772
 * Wed Apr 14 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-3
 - CVE-2021-3482: Fix heap-based buffer overflow in Jp2Image::readMetadata()
  Resolves: bz#1947160
 * Wed Oct 7 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.3-2
 - Avoid duplicating Changelog file
  Resolves: bz#1880984