CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler (#1178909)

2015-01-05 11:27:20 -06:00 · 2015-01-05 11:27:20 -06:00 · b349f4ddba
commit b349f4ddba
parent 0e1afd954a
2 changed files with 38 additions and 1 deletions
--- a/exiv2-0.24-CVE-2014-9449.patch
+++ b/exiv2-0.24-CVE-2014-9449.patch
@ -0,0 +1,27 @@
+diff -up exiv2-0.24/src/riffvideo.cpp.CVE-2014-9449 exiv2-0.24/src/riffvideo.cpp
+--- exiv2-0.24/src/riffvideo.cpp.CVE-2014-9449	2013-12-01 06:13:42.000000000 -0600
+++ exiv2-0.24/src/riffvideo.cpp	2015-01-05 11:21:42.306728309 -0600
+@@ -856,7 +856,7 @@ namespace Exiv2 {
+ 
+     void RiffVideo::infoTagsHandler()
+     {
+-        const long bufMinSize = 100;
+        const long bufMinSize = 10000;
+         DataBuf buf(bufMinSize);
+         buf.pData_[4] = '\0';
+         io_->seek(-12, BasicIo::cur);
+@@ -879,10 +879,14 @@ namespace Exiv2 {
+             if(infoSize >= 0) {
+                 size -= infoSize;
+                 io_->read(buf.pData_, infoSize);
+                if(infoSize < 4)
+                    buf.pData_[infoSize] = '\0';
+             }
+ 
+             if(tv)
+                 xmpData_[exvGettext(tv->label_)] = buf.pData_;
+            else
+                continue;
+         }
+         io_->seek(cur_pos + size_external, BasicIo::beg);
+     } // RiffVideo::infoTagsHandler
--- a/exiv2.spec
+++ b/exiv2.spec
@ -6,13 +6,18 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:	 exiv2
 Version: 0.24
-Release: 3%{?dist}
+Release: 4%{?dist}

 License: GPLv2+
 URL: 	 http://www.exiv2.org/
 Source0: http://www.exiv2.org/exiv2-%{version}%{?pre:-%{pre}}.tar.gz

 ## upstream patches
+# CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler
+# https://bugzilla.redhat.com/show_bug.cgi?id=1178908
+# http://dev.exiv2.org/issues/960
+# commit: http://dev.exiv2.org/projects/exiv2/repository/diff?rev=3264&rev_to=3263
+Patch100: exiv2-0.24-CVE-2014-9449.patch

 ## upstreamable patches
 Patch50: exiv2-0.24-cmake_LIB_SUFFIX.patch
@ -66,6 +71,8 @@ BuildArch: noarch
 %prep
 %setup -q -n %{name}-%{version}%{?pre:-%{pre}}

+%patch100 -p1 -b .CVE-2014-9449
+
 %patch50 -p1 -b .cmake_LIB_SUFFIX
 %patch51 -p1 -b .cmake_mandir
 %patch52 -p1 -b .doxygen_config
@ -141,6 +148,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so


 %changelog
+* Mon Jan 05 2015 Rex Dieter <rdieter@fedoraproject.org> 0.24-4
+- CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler (#1178909)
+
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.24-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild