rpms
/
exiv2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import exiv2-0.27.4-5.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:47:16 -05:00 committed by Stepan Oksanichenko
parent 70d8f08d6b
commit d892fc0ee8
7 changed files with 240 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.exiv2.metadata
View File

@ -1 +1,3 @@
5f1b460b10171c3b12cd540d699e9b815f6f3058 SOURCES/exiv2-0.27.3.tar.gz
ed620c568463179aca7847bee5fda40c11c08318 SOURCES/exiv2-0.27.4-Source.tar.gz
8bfcbc41598e9377d5938fbc75d63db3e6bd9bc9 SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2
af7e1607f84dc143f09efaced2d6e05064238d4f SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/exiv2-0.27.3.tar.gz
SOURCES/exiv2-0.27.4-Source.tar.gz
SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2
SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2

12
SOURCES/exiv2-0.27.3-fcf-protection.patch
View File

@ -1,12 +0,0 @@
diff -up exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection exiv2-0.27.3-Source/cmake/compilerFlags.cmake
--- exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection 2020-06-30 08:33:22.000000000 -0500
+++ exiv2-0.27.3-Source/cmake/compilerFlags.cmake 2020-06-30 18:03:38.197967648 -0500
@@ -26,7 +26,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Li
# This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0
if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) )
if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0)
- add_compile_options(-fstack-clash-protection -fcf-protection)
+ add_compile_options(-fstack-clash-protection)
endif()
if( (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8

26
SOURCES/exiv2-CVE-2021-31291.patch
View File

@ -1,26 +0,0 @@
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529
---
src/jp2image.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 88ab9b2d61..12025f9664 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
#endif
box.length = (uint32_t) (io_->size() - io_->tell() + 8);
}
- if (box.length == 1)
+ if (box.length < 8)
{
- // FIXME. Special case. the real box size is given in another place.
+ // box is broken, so there is nothing we can do here
+ throw Error(kerCorruptedMetadata);
}
// Read whole box : Box header + Box data (not fixed size - can be null).

67
SOURCES/exiv2-CVE-2021-37618.patch Normal file
View File

@ -0,0 +1,67 @@
From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Jul 2021 10:39:08 +0100
Subject: [PATCH 1/2] Regression test for
https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
---
test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 | Bin 0 -> 32768 bytes
.../github/test_issue_ghsa_583f_w9pm_99r2.py | 18 ++++++++++++++++++
2 files changed, 18 insertions(+)
create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2
create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
new file mode 100644
index 000000000..808916aee
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors
+
+class Jp2ImagePrintStructureICC(metaclass=CaseMeta):
+ """
+ Regression test for the bug described in:
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
+ """
+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2"
+
+ filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2")
+ commands = ["$exiv2 -p C $filename"]
+ stdout = [""]
+ stderr = ["""Exiv2 exception in print action for file $filename:
+$kerCorruptedMetadata
+"""]
+ retval = [1]
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Jul 2021 10:40:03 +0100
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
---
src/jp2image.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 3bf356629..2d6dc2118 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
if (subBox.type == kJp2BoxTypeColorHeader) {
long pad = 3; // don't know why there are 3 padding bytes
+ enforce(data.size_ >= pad, kerCorruptedMetadata);
if (bPrint) {
out << " | pad:";
for (int i = 0; i < 3; i++)
@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
if (bPrint) {
out << " | iccLength:" << iccLength;
}
+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
if (bICC) {
out.write((const char*)data.pData_ + pad, iccLength);
}

100
SOURCES/exiv2-CVE-2021-37619.patch Normal file
View File

@ -0,0 +1,100 @@
From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:12 +0100
Subject: [PATCH 1/2] Regression test for
https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
---
test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes
.../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++
2 files changed, 18 insertions(+)
create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
new file mode 100644
index 0000000000..8f8b6676cf
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
+@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+
+class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta):
+ """
+ Regression test for the bug described in:
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
+ """
+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v"
+
+ filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+ commands = ["$exiv2 rm $filename"]
+ stdout = [""]
+ retval = [0]
+
+ compare_stderr = check_no_ASAN_UBSAN_errors
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.
---
src/jp2image.cpp | 6 ++++--
.../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index b6a388542f..3bf3566294 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m)
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
- while ( count < length || !bWroteColor ) {
+ while ( count < length && !bWroteColor ) {
enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
- Jp2BoxHeader subBox = *pSubBox ;
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
Jp2BoxHeader newBox = subBox;
if ( count < length ) {
diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
index c98b3815eb..44f6a906cb 100644
--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
+++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
-from system_tests import CaseMeta, path
-
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
+ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
commands = ["$exiv2 in $filename1"]
stdout = [""]
stderr = [
"""Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
-$filename1: Could not write metadata to file: $kerCorruptedMetadata
"""]
- retval = [1]
+ retval = [0]

85
SPECS/exiv2.spec
View File

@ -1,27 +1,31 @@
Summary: Exif and Iptc metadata manipulation library
Name: exiv2
Version: 0.27.3
Release: 3%{?dist}
Version: 0.27.4
%global internal_ver %{version}
Release: 5%{?dist}
License: GPLv2+
URL: http://www.exiv2.org/
Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz
Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
# POC files for upstream issues
Source1: issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
Source2: issue_ghsa_583f_w9pm_99r2_poc.jp2
## upstream patches (lookaside cache)
Patch1: exiv2-CVE-2021-37618.patch
Patch2: exiv2-CVE-2021-37619.patch
# Security fixes
## upstreamable patches
# don't unconditionally use -fcf-protection flag, not supported on all archs
# fedora already includes this on archs that do support it
Patch100: exiv2-0.27.3-fcf-protection.patch
Patch101: exiv2-CVE-2021-31291.patch
BuildRequires: cmake
BuildRequires: expat-devel
BuildRequires: gcc-c++
BuildRequires: gettext
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libssh)
BuildRequires: zlib-devel
# docs
BuildRequires: doxygen graphviz libxslt
@ -67,8 +71,10 @@ BuildArch: noarch
%prep
%autosetup -n %{name}-%{version} -p1
%autosetup -n %{name}-%{version}-Source -p1
cp %{SOURCE1} test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
cp %{SOURCE2} test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2
%build
%{cmake} . \
@ -85,13 +91,10 @@ make install/fast DESTDIR=%{buildroot}
%find_lang exiv2 --with-man
## unpackaged files
rm -fv %{buildroot}%{_libdir}/libexiv2.la
#rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm
%check
export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}"
test "$(pkg-config --modversion exiv2)" = "0.27.3"
test "$(pkg-config --modversion exiv2)" = "%{internal_ver}"
test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
test -x %{buildroot}%{_libdir}/libexiv2.so
@ -108,13 +111,14 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%files libs
%{_libdir}/libexiv2.so.27*
%{_libdir}/libexiv2.so.0.27.3
%{_libdir}/libexiv2.so.%{internal_ver}
%files devel
%{_includedir}/exiv2/
%{_libdir}/libexiv2.so
%{_libdir}/pkgconfig/exiv2.pc
%{_libdir}/cmake/exiv2/
# todo: -static subpkg? -- rex
%{_libdir}/libexiv2-xmp.a
%files doc
@ -123,9 +127,54 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%changelog
* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-3
- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
Resolves: bz#1990355
* Tue Aug 24 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-5
- Include missing tests for CVEs
Resolves: bz#1993282
Resolves: bz#1993245
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-4
- Fix test for CVE-2021-29470
Resolves: bz#1993245
* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-3
- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
Resolves: bz#1993282
- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
Resolves: bz#1993245
* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-2
- Do not duplicate changelog file
Resolves: bz#1989860
* Wed Aug 04 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-1
- 0.27.4
Resolves: bz#1989860
* Tue May 25 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-6
- CVE-2021-29623 exiv2: a read of uninitialized memory may lead to information leak
Resolves: bz#1964182
- CVE-2021-32617 exiv2: DoS due to quadratic complexity in ProcessUTF8Portion
Resolves: bz#1964188
* Thu Apr 29 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-5
- CVE-2021-29473 exiv2: out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata
Resolves: bz#1954065
- CVE-2021-29470 exiv2: out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
Resolves: bz#1955014
* Wed Apr 28 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-4
- CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode
Resolves: bz#1953758
- CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
Resolves: bz#1953772
* Wed Apr 14 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-3
- CVE-2021-3482: Fix heap-based buffer overflow in Jp2Image::readMetadata()
Resolves: bz#1947160
* Wed Oct 7 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.3-2
- Avoid duplicating Changelog file