rpms/exiv2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

0.27.4

Browse Source 
Resolves: bz#1989848
This commit is contained in:
Jan Grulich 2021-08-04 14:59:04 +02:00
parent f52b94dbb0
commit e8a1ebe08b
9 changed files with 6 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
exiv2-0.27.3-fcf-protection.patch
View File

@ -1,12 +0,0 @@
diff -up exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection exiv2-0.27.3-Source/cmake/compilerFlags.cmake
--- exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection 2020-06-30 08:33:22.000000000 -0500
+++ exiv2-0.27.3-Source/cmake/compilerFlags.cmake 2020-06-30 18:03:38.197967648 -0500
@@ -26,7 +26,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Li
# This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0
if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) )
if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0)
- add_compile_options(-fstack-clash-protection -fcf-protection)
+ add_compile_options(-fstack-clash-protection)
endif()
if( (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8

26
exiv2-CVE-2021-29457.patch
View File

@ -1,26 +0,0 @@
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529
---
src/jp2image.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 88ab9b2d6..12025f966 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
#endif
box.length = (uint32_t) (io_->size() - io_->tell() + 8);
}
- if (box.length == 1)
+ if (box.length < 8)
{
- // FIXME. Special case. the real box size is given in another place.
+ // box is broken, so there is nothing we can do here
+ throw Error(kerCorruptedMetadata);
}
// Read whole box : Box header + Box data (not fixed size - can be null).

49
exiv2-CVE-2021-29458.patch
View File

@ -1,49 +0,0 @@
From 0a91b56616404f7b29ca28deb01ce18b767d1871 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 9 Apr 2021 13:26:23 +0100
Subject: [PATCH 1/5] Fix incorrect delete.
---
src/crwimage_int.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index a44a67e2c..6f89fa8b8 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -579,7 +579,7 @@ namespace Exiv2 {
void CiffComponent::setValue(DataBuf buf)
{
if (isAllocated_) {
- delete pData_;
+ delete[] pData_;
pData_ = 0;
size_ = 0;
}
From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 9 Apr 2021 13:37:48 +0100
Subject: [PATCH 3/5] Fix integer overflow.
---
src/crwimage_int.cpp | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 6f89fa8b8..7b958c26f 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -1187,7 +1187,11 @@ namespace Exiv2 {
pCrwMapping->crwDir_);
if (edX != edEnd || edY != edEnd || edO != edEnd) {
uint32_t size = 28;
- if (cc && cc->size() > size) size = cc->size();
+ if (cc) {
+ if (cc->size() < size)
+ throw Error(kerCorruptedMetadata);
+ size = cc->size();
+ }
DataBuf buf(size);
std::memset(buf.pData_, 0x0, buf.size_);
if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);

21
exiv2-CVE-2021-29470.patch
View File

@ -1,21 +0,0 @@
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 0de088d..6310c08 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
int32_t length = getLong((byte*)&pBox->length, bigEndian);
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
int32_t count = sizeof (Jp2BoxHeader);
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
while ( count < length || !bWroteColor ) {
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!

21
exiv2-CVE-2021-29473.patch
View File

@ -1,21 +0,0 @@
From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 23 Apr 2021 11:44:44 +0100
Subject: [PATCH 2/2] Add bounds check in Jp2Image::doWriteMetadata().
---
src/jp2image.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 1694fed27..ca8c9ddbb 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m)
case kJp2BoxTypeUuid:
{
+ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
{
#ifdef EXIV2_DEBUG_MESSAGES

26
exiv2-CVE-2021-29623.patch
View File

@ -1,26 +0,0 @@
From 82e46b5524fb904e6660dadd2c6d8e5e47375a1a Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Tue, 11 May 2021 12:14:33 +0100
Subject: [PATCH] Use readOrThrow to check error conditions of iIo.read().
---
src/webpimage.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index 7c64ff3d7..ca26e514a 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -754,9 +754,9 @@ namespace Exiv2 {
byte webp[len];
byte data[len];
byte riff[len];
- iIo.read(riff, len);
- iIo.read(data, len);
- iIo.read(webp, len);
+ readOrThrow(iIo, riff, len, Exiv2::kerCorruptedMetadata);
+ readOrThrow(iIo, data, len, Exiv2::kerCorruptedMetadata);
+ readOrThrow(iIo, webp, len, Exiv2::kerCorruptedMetadata);
bool matched_riff = (memcmp(riff, RiffImageId, len) == 0);
bool matched_webp = (memcmp(webp, WebPImageId, len) == 0);
iIo.seek(-12, BasicIo::cur);

125
exiv2-CVE-2021-32617.patch
View File

@ -1,125 +0,0 @@
From c261fbaa2567687eec6a595d3016212fd6ae648d Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sun, 16 May 2021 15:05:08 +0100
Subject: [PATCH] Fix quadratic complexity performance bug.
---
xmpsdk/src/XMPMeta-Parse.cpp | 57 +++++++++++++++++++++++-------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/xmpsdk/src/XMPMeta-Parse.cpp b/xmpsdk/src/XMPMeta-Parse.cpp
index 9f66fe8..f9c37d7 100644
--- a/xmpsdk/src/XMPMeta-Parse.cpp
+++ b/xmpsdk/src/XMPMeta-Parse.cpp
@@ -976,12 +976,26 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
{
const XMP_Uns8 * bufEnd = buffer + length;
- const XMP_Uns8 * spanStart = buffer;
const XMP_Uns8 * spanEnd;
-
- for ( spanEnd = spanStart; spanEnd < bufEnd; ++spanEnd ) {
- if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) continue; // A regular ASCII character.
+ // `buffer` is copied into this std::string. If `buffer` only
+ // contains valid UTF-8 and no escape characters, then the copy
+ // will be identical to the original, but invalid characters are
+ // replaced - usually with a space character. This std::string was
+ // added as a performance fix for:
+ // https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj
+ // Previously, the code was repeatedly calling
+ // `xmlParser->ParseBuffer()`, which turned out to have quadratic
+ // complexity, because expat kept reparsing the entire string from
+ // the beginning.
+ std::string copy;
+
+ for ( spanEnd = buffer; spanEnd < bufEnd; ++spanEnd ) {
+
+ if ( (0x20 <= *spanEnd) && (*spanEnd <= 0x7E) && (*spanEnd != '&') ) {
+ copy.push_back(*spanEnd);
+ continue; // A regular ASCII character.
+ }
if ( *spanEnd >= 0x80 ) {
@@ -992,21 +1006,20 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
if ( uniLen > 0 ) {
// A valid UTF-8 character, keep it as-is.
+ copy.append((const char*)spanEnd, uniLen);
spanEnd += uniLen - 1; // ! The loop increment will put back the +1.
} else if ( (uniLen < 0) && (! last) ) {
// Have a partial UTF-8 character at the end of the buffer and more input coming.
- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
return (spanEnd - buffer);
} else {
// Not a valid UTF-8 sequence. Replace the first byte with the Latin-1 equivalent.
- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
const char * replacement = kReplaceLatin1 [ *spanEnd - 0x80 ];
- xmlParser->ParseBuffer ( replacement, strlen ( replacement ), false );
- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
+ copy.append ( replacement );
}
@@ -1014,11 +1027,12 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
// Replace ASCII controls other than tab, LF, and CR with a space.
- if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) continue;
+ if ( (*spanEnd == kTab) || (*spanEnd == kLF) || (*spanEnd == kCR) ) {
+ copy.push_back(*spanEnd);
+ continue;
+ }
- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
- xmlParser->ParseBuffer ( " ", 1, false );
- spanStart = spanEnd + 1; // ! The loop increment will do "spanEnd = spanStart".
+ copy.push_back(' ');
} else {
@@ -1030,18 +1044,21 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
if ( escLen < 0 ) {
// Have a partial numeric escape in this buffer, wait for more input.
- if ( last ) continue; // No more buffers, not an escape, absorb as normal input.
- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
+ if ( last ) {
+ copy.push_back('&');
+ continue; // No more buffers, not an escape, absorb as normal input.
+ }
+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), false );
return (spanEnd - buffer);
} else if ( escLen > 0 ) {
// Have a complete numeric escape to replace.
- xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
- xmlParser->ParseBuffer ( " ", 1, false );
- spanStart = spanEnd + escLen;
- spanEnd = spanStart - 1; // ! The loop continuation will increment spanEnd!
+ copy.push_back(' ');
+ spanEnd = spanEnd + escLen - 1; // ! The loop continuation will increment spanEnd!
+ } else {
+ copy.push_back('&');
}
}
@@ -1050,8 +1067,8 @@ ProcessUTF8Portion ( XMLParserAdapter * xmlParser,
XMP_Assert ( spanEnd == bufEnd );
- if ( spanStart < bufEnd ) xmlParser->ParseBuffer ( spanStart, (spanEnd - spanStart), false );
- if ( last ) xmlParser->ParseBuffer ( " ", 1, true );
+ copy.push_back(' ');
+ xmlParser->ParseBuffer ( copy.c_str(), copy.size(), true );
return length;

55
exiv2-CVE-2021-3482.patch
View File

@ -1,55 +0,0 @@
From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
From: Robin Mills <robin@clanmills.com>
Date: Mon, 5 Apr 2021 20:33:25 +0100
Subject: [PATCH] fix_1522_jp2image_exif_asan
---
src/jp2image.cpp | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index eb31cea4a..88ab9b2d6 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -28,6 +28,7 @@
#include "image.hpp"
#include "image_int.hpp"
#include "basicio.hpp"
+#include "enforce.hpp"
#include "error.hpp"
#include "futils.hpp"
#include "types.hpp"
@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
if (io_->error()) throw Error(kerFailedToReadImageData);
if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
- if (rawData.size_ > 0)
+ if (rawData.size_ > 8) // "II*\0long"
{
// Find the position of Exif header in bytes array.
long pos = ( (rawData.pData_[0] == rawData.pData_[1])
@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
position = io_->tell();
box.length = getLong((byte*)&box.length, bigEndian);
box.type = getLong((byte*)&box.type, bigEndian);
+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
if (bPrint) {
out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
throw Error(kerInputDataReadFailed);
if (bPrint) {
- out << Internal::binaryToString(makeSlice(rawData, 0, 40));
+ out << Internal::binaryToString(
+ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
out.flush();
}
lf(out, bLF);
- if (bIsExif && bRecursive && rawData.size_ > 0) {
+ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
if ((rawData.pData_[0] == rawData.pData_[1]) &&
(rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));

27
exiv2.spec
View File

@ -3,9 +3,9 @@
Summary: Exif and Iptc metadata manipulation library
Name: exiv2
Version: 0.27.3
Version: 0.27.4
%global internal_ver %{version}
Release: 9%{?dist}
Release: 1%{?dist}
License: GPLv2+
URL: http://www.exiv2.org/
@ -18,26 +18,14 @@ Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
## upstream patches
## security fixes
Patch50: exiv2-CVE-2021-3482.patch
Patch51: exiv2-CVE-2021-29457.patch
Patch52: exiv2-CVE-2021-29458.patch
Patch53: exiv2-CVE-2021-29470.patch
Patch54: exiv2-CVE-2021-29473.patch
Patch55: exiv2-CVE-2021-29623.patch
Patch56: exiv2-CVE-2021-32617.patch
## upstreamable patches
# don't unconditionally use -fcf-protection flag, not supported on all archs
# fedora already includes this on archs that do support it
Patch100: exiv2-0.27.3-fcf-protection.patch
BuildRequires: cmake
BuildRequires: expat-devel
BuildRequires: gcc-c++
BuildRequires: gettext
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libssh)
BuildRequires: zlib-devel
# docs
BuildRequires: doxygen graphviz libxslt
@ -59,9 +47,6 @@ A command line utility to access image metadata, allowing one to:
%package devel
Summary: Header files, libraries and development documentation for %{name}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# FIXME/TODO: probably overlinking --rex
# exiv2/exiv2Config.cmake: INTERFACE_LINK_LIBRARIES "/usr/lib64/libexpat.so"
Requires: expat-devel%{?_isa}
%description devel
%{summary}.
@ -105,10 +90,6 @@ BuildArch: noarch
%find_lang exiv2 --with-man
## unpackaged files
rm -fv %{buildroot}%{_libdir}/libexiv2.la
#rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm
%check
export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}"
@ -144,6 +125,10 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%changelog
* Wed Aug 04 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.4-1
- 0.27.4
Resolves: bz#1989848
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-9
- Bump version for rebuild (binutils)
Resolves: bz#1964183