From e8a1ebe08b493494ccd78b75f9193ef533a9b36d Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Wed, 4 Aug 2021 14:59:04 +0200 Subject: [PATCH] 0.27.4 Resolves: bz#1989848 --- exiv2-0.27.3-fcf-protection.patch | 12 --- exiv2-CVE-2021-29457.patch | 26 ------- exiv2-CVE-2021-29458.patch | 49 ------------ exiv2-CVE-2021-29470.patch | 21 ----- exiv2-CVE-2021-29473.patch | 21 ----- exiv2-CVE-2021-29623.patch | 26 ------- exiv2-CVE-2021-32617.patch | 125 ------------------------------ exiv2-CVE-2021-3482.patch | 55 ------------- exiv2.spec | 27 ++----- 9 files changed, 6 insertions(+), 356 deletions(-) delete mode 100644 exiv2-0.27.3-fcf-protection.patch delete mode 100644 exiv2-CVE-2021-29457.patch delete mode 100644 exiv2-CVE-2021-29458.patch delete mode 100644 exiv2-CVE-2021-29470.patch delete mode 100644 exiv2-CVE-2021-29473.patch delete mode 100644 exiv2-CVE-2021-29623.patch delete mode 100644 exiv2-CVE-2021-32617.patch delete mode 100644 exiv2-CVE-2021-3482.patch diff --git a/exiv2-0.27.3-fcf-protection.patch b/exiv2-0.27.3-fcf-protection.patch deleted file mode 100644 index 94a2c84..0000000 --- a/exiv2-0.27.3-fcf-protection.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection exiv2-0.27.3-Source/cmake/compilerFlags.cmake ---- exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection 2020-06-30 08:33:22.000000000 -0500 -+++ exiv2-0.27.3-Source/cmake/compilerFlags.cmake 2020-06-30 18:03:38.197967648 -0500 -@@ -26,7 +26,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Li - # This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0 - if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) ) - if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0) -- add_compile_options(-fstack-clash-protection -fcf-protection) -+ add_compile_options(-fstack-clash-protection) - endif() - - if( (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8 diff --git a/exiv2-CVE-2021-29457.patch b/exiv2-CVE-2021-29457.patch deleted file mode 100644 index 1d5b0b0..0000000 --- a/exiv2-CVE-2021-29457.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 -From: Pydera -Date: Thu, 8 Apr 2021 17:36:16 +0200 -Subject: [PATCH] Fix out of buffer access in #1529 - ---- - src/jp2image.cpp | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 88ab9b2d6..12025f966 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) - #endif - box.length = (uint32_t) (io_->size() - io_->tell() + 8); - } -- if (box.length == 1) -+ if (box.length < 8) - { -- // FIXME. Special case. the real box size is given in another place. -+ // box is broken, so there is nothing we can do here -+ throw Error(kerCorruptedMetadata); - } - - // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/exiv2-CVE-2021-29458.patch b/exiv2-CVE-2021-29458.patch deleted file mode 100644 index 64206b8..0000000 --- a/exiv2-CVE-2021-29458.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0a91b56616404f7b29ca28deb01ce18b767d1871 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Fri, 9 Apr 2021 13:26:23 +0100 -Subject: [PATCH 1/5] Fix incorrect delete. - ---- - src/crwimage_int.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp -index a44a67e2c..6f89fa8b8 100644 ---- a/src/crwimage_int.cpp -+++ b/src/crwimage_int.cpp -@@ -579,7 +579,7 @@ namespace Exiv2 { - void CiffComponent::setValue(DataBuf buf) - { - if (isAllocated_) { -- delete pData_; -+ delete[] pData_; - pData_ = 0; - size_ = 0; - } - -From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Fri, 9 Apr 2021 13:37:48 +0100 -Subject: [PATCH 3/5] Fix integer overflow. - ---- - src/crwimage_int.cpp | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp -index 6f89fa8b8..7b958c26f 100644 ---- a/src/crwimage_int.cpp -+++ b/src/crwimage_int.cpp -@@ -1187,7 +1187,11 @@ namespace Exiv2 { - pCrwMapping->crwDir_); - if (edX != edEnd || edY != edEnd || edO != edEnd) { - uint32_t size = 28; -- if (cc && cc->size() > size) size = cc->size(); -+ if (cc) { -+ if (cc->size() < size) -+ throw Error(kerCorruptedMetadata); -+ size = cc->size(); -+ } - DataBuf buf(size); - std::memset(buf.pData_, 0x0, buf.size_); - if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); diff --git a/exiv2-CVE-2021-29470.patch b/exiv2-CVE-2021-29470.patch deleted file mode 100644 index 6d9b165..0000000 --- a/exiv2-CVE-2021-29470.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 0de088d..6310c08 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) - DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space - int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? - int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? -+ enforce(sizeof(Jp2BoxHeader) <= static_cast(output.size_), Exiv2::kerCorruptedMetadata); - Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; - int32_t length = getLong((byte*)&pBox->length, bigEndian); -+ enforce(length <= static_cast(output.size_), Exiv2::kerCorruptedMetadata); - int32_t count = sizeof (Jp2BoxHeader); - char* p = (char*) boxBuf.pData_; - bool bWroteColor = false ; - - while ( count < length || !bWroteColor ) { -+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); - Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; - - // copy data. pointer could be into a memory mapped file which we will decode! diff --git a/exiv2-CVE-2021-29473.patch b/exiv2-CVE-2021-29473.patch deleted file mode 100644 index 685dec0..0000000 --- a/exiv2-CVE-2021-29473.patch +++ /dev/null @@ -1,21 +0,0 @@ -From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Fri, 23 Apr 2021 11:44:44 +0100 -Subject: [PATCH 2/2] Add bounds check in Jp2Image::doWriteMetadata(). - ---- - src/jp2image.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 1694fed27..ca8c9ddbb 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m) - - case kJp2BoxTypeUuid: - { -+ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata); - if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0) - { - #ifdef EXIV2_DEBUG_MESSAGES diff --git a/exiv2-CVE-2021-29623.patch b/exiv2-CVE-2021-29623.patch deleted file mode 100644 index 120d5f7..0000000 --- a/exiv2-CVE-2021-29623.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 82e46b5524fb904e6660dadd2c6d8e5e47375a1a Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Tue, 11 May 2021 12:14:33 +0100 -Subject: [PATCH] Use readOrThrow to check error conditions of iIo.read(). - ---- - src/webpimage.cpp | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/webpimage.cpp b/src/webpimage.cpp -index 7c64ff3d7..ca26e514a 100644 ---- a/src/webpimage.cpp -+++ b/src/webpimage.cpp -@@ -754,9 +754,9 @@ namespace Exiv2 { - byte webp[len]; - byte data[len]; - byte riff[len]; -- iIo.read(riff, len); -- iIo.read(data, len); -- iIo.read(webp, len); -+ readOrThrow(iIo, riff, len, Exiv2::kerCorruptedMetadata); -+ readOrThrow(iIo, data, len, Exiv2::kerCorruptedMetadata); -+ readOrThrow(iIo, webp, len, Exiv2::kerCorruptedMetadata); - bool matched_riff = (memcmp(riff, RiffImageId, len) == 0); - bool matched_webp = (memcmp(webp, WebPImageId, len) == 0); - iIo.seek(-12, BasicIo::cur); diff --git a/exiv2-CVE-2021-32617.patch b/exiv2-CVE-2021-32617.patch deleted file mode 100644 index 8ec91b7..0000000 --- a/exiv2-CVE-2021-32617.patch +++ /dev/null @@ -1,125 +0,0 @@ -From c261fbaa2567687eec6a595d3016212fd6ae648d Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Sun, 16 May 2021 15:05:08 +0100 -Subject: [PATCH] Fix quadratic complexity performance bug. - ---- - xmpsdk/src/XMPMeta-Parse.cpp | 57 +++++++++++++++++++++++------------- - 1 file changed, 36 insertions(+), 21 deletions(-) - -diff --git a/xmpsdk/src/XMPMeta-Parse.cpp b/xmpsdk/src/XMPMeta-Parse.cpp -index 9f66fe8..f9c37d7 100644 ---- a/xmpsdk/src/XMPMeta-Parse.cpp -+++ b/xmpsdk/src/XMPMeta-Parse.cpp -@@ -976,12 +976,26 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser, - { - const XMP_Uns8 * bufEnd = buffer + length; - -- const XMP_Uns8 * spanStart = buffer; - const XMP_Uns8 * spanEnd; -- -- for ( spanEnd = spanStart; spanEnd < bufEnd; ++spanEnd ) { - -- if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) continue; // A regular ASCII character. -+ // `buffer` is copied into this std::string. If `buffer` only -+ // contains valid UTF-8 and no escape characters, then the copy -+ // will be identical to the original, but invalid characters are -+ // replaced - usually with a space character. This std::string was -+ // added as a performance fix for: -+ // https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj -+ // Previously, the code was repeatedly calling -+ // `xmlParser->ParseBuffer()`, which turned out to have quadratic -+ // complexity, because expat kept reparsing the entire string from -+ // the beginning. -+ std::string copy; -+ -+ for ( spanEnd = buffer; spanEnd < bufEnd; ++spanEnd ) { -+ -+ if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) { -+ copy.push_back(*spanEnd); -+ continue; // A regular ASCII character. -+ } - - if ( *spanEnd >= 0x80 ) { - -@@ -992,21 +1006,20 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser, - if ( uniLen > 0 ) { - - // A valid UTF-8 character, keep it as-is. -+ copy.append((const char*)spanEnd, uniLen); - spanEnd += uniLen - 1; // ! The loop increment will put back the +1. - - } else if ( (uniLen < 0) && (! last) ) { - - // Have a partial UTF-8 character at the end of the buffer and more input coming. -- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); -+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false ); - return (spanEnd - buffer); - - } else { - - // Not a valid UTF-8 sequence. Replace the first byte with the Latin-1 equivalent. -- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); - const char * replacement = kReplaceLatin1 [ *spanEnd - 0x80 ]; -- xmlParser->ParseBuffer ( replacement, strlen ( replacement ), false ); -- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart". -+ copy.append ( replacement ); - - } - -@@ -1014,11 +1027,12 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser, - - // Replace ASCII controls other than tab, LF, and CR with a space. - -- if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) continue; -+ if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) { -+ copy.push_back(*spanEnd); -+ continue; -+ } - -- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); -- xmlParser->ParseBuffer ( " ", 1, false ); -- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart". -+ copy.push_back(' '); - - } else { - -@@ -1030,18 +1044,21 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser, - if ( escLen < 0 ) { - - // Have a partial numeric escape in this buffer, wait for more input. -- if ( last ) continue; // No more buffers, not an escape, absorb as normal input. -- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); -+ if ( last ) { -+ copy.push_back('&'); -+ continue; // No more buffers, not an escape, absorb as normal input. -+ } -+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false ); - return (spanEnd - buffer); - - } else if ( escLen > 0 ) { - - // Have a complete numeric escape to replace. -- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); -- xmlParser->ParseBuffer ( " ", 1, false ); -- spanStart = spanEnd + escLen; -- spanEnd = spanStart - 1; // ! The loop continuation will increment spanEnd! -+ copy.push_back(' '); -+ spanEnd = spanEnd + escLen - 1; // ! The loop continuation will increment spanEnd! - -+ } else { -+ copy.push_back('&'); - } - - } -@@ -1050,8 +1067,8 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser, - - XMP_Assert ( spanEnd == bufEnd ); - -- if ( spanStart < bufEnd ) xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false ); -- if ( last ) xmlParser->ParseBuffer ( " ", 1, true ); -+ copy.push_back(' '); -+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), true ); - - return length; - diff --git a/exiv2-CVE-2021-3482.patch b/exiv2-CVE-2021-3482.patch deleted file mode 100644 index 21edeee..0000000 --- a/exiv2-CVE-2021-3482.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 -From: Robin Mills -Date: Mon, 5 Apr 2021 20:33:25 +0100 -Subject: [PATCH] fix_1522_jp2image_exif_asan - ---- - src/jp2image.cpp | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index eb31cea4a..88ab9b2d6 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -28,6 +28,7 @@ - #include "image.hpp" - #include "image_int.hpp" - #include "basicio.hpp" -+#include "enforce.hpp" - #include "error.hpp" - #include "futils.hpp" - #include "types.hpp" -@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) - if (io_->error()) throw Error(kerFailedToReadImageData); - if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); - -- if (rawData.size_ > 0) -+ if (rawData.size_ > 8) // "II*\0long" - { - // Find the position of Exif header in bytes array. - long pos = ( (rawData.pData_[0] == rawData.pData_[1]) -@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) - position = io_->tell(); - box.length = getLong((byte*)&box.length, bigEndian); - box.type = getLong((byte*)&box.type, bigEndian); -+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); - - if (bPrint) { - out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), -@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) - throw Error(kerInputDataReadFailed); - - if (bPrint) { -- out << Internal::binaryToString(makeSlice(rawData, 0, 40)); -+ out << Internal::binaryToString( -+ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); - out.flush(); - } - lf(out, bLF); - -- if (bIsExif && bRecursive && rawData.size_ > 0) { -+ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" - if ((rawData.pData_[0] == rawData.pData_[1]) && - (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { - BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); - diff --git a/exiv2.spec b/exiv2.spec index f01dca6..4f563fa 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -3,9 +3,9 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 -Version: 0.27.3 +Version: 0.27.4 %global internal_ver %{version} -Release: 9%{?dist} +Release: 1%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ @@ -18,26 +18,14 @@ Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz ## upstream patches ## security fixes -Patch50: exiv2-CVE-2021-3482.patch -Patch51: exiv2-CVE-2021-29457.patch -Patch52: exiv2-CVE-2021-29458.patch -Patch53: exiv2-CVE-2021-29470.patch -Patch54: exiv2-CVE-2021-29473.patch -Patch55: exiv2-CVE-2021-29623.patch -Patch56: exiv2-CVE-2021-32617.patch ## upstreamable patches -# don't unconditionally use -fcf-protection flag, not supported on all archs -# fedora already includes this on archs that do support it -Patch100: exiv2-0.27.3-fcf-protection.patch BuildRequires: cmake BuildRequires: expat-devel BuildRequires: gcc-c++ BuildRequires: gettext BuildRequires: pkgconfig -BuildRequires: pkgconfig(libcurl) -BuildRequires: pkgconfig(libssh) BuildRequires: zlib-devel # docs BuildRequires: doxygen graphviz libxslt @@ -59,9 +47,6 @@ A command line utility to access image metadata, allowing one to: %package devel Summary: Header files, libraries and development documentation for %{name} Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# FIXME/TODO: probably overlinking --rex -# exiv2/exiv2Config.cmake: INTERFACE_LINK_LIBRARIES "/usr/lib64/libexpat.so" -Requires: expat-devel%{?_isa} %description devel %{summary}. @@ -105,10 +90,6 @@ BuildArch: noarch %find_lang exiv2 --with-man -## unpackaged files -rm -fv %{buildroot}%{_libdir}/libexiv2.la -#rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm - %check export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}" @@ -144,6 +125,10 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Wed Aug 04 2021 Jan Grulich - 0.27.4-1 +- 0.27.4 + Resolves: bz#1989848 + * Tue Jun 01 2021 Jan Grulich - 0.27.3-9 - Bump version for rebuild (binutils) Resolves: bz#1964183