diff --git a/.gitignore b/.gitignore index b166074..140054a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libexif-0_6_22-release.tar.gz +libexif-0.6.24.tar.bz2 diff --git a/.libexif.metadata b/.libexif.metadata deleted file mode 100644 index 45eb589..0000000 --- a/.libexif.metadata +++ /dev/null @@ -1 +0,0 @@ -9925660e70ee8b5ce480c6a6f30c84b382929142 SOURCES/libexif-0_6_22-release.tar.gz diff --git a/SOURCES/CVE-2020-0181-CVE-2020-0198.patch b/SOURCES/CVE-2020-0181-CVE-2020-0198.patch deleted file mode 100644 index e0358c2..0000000 --- a/SOURCES/CVE-2020-0181-CVE-2020-0198.patch +++ /dev/null @@ -1,58 +0,0 @@ -From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Mon, 8 Jun 2020 17:27:06 +0200 -Subject: [PATCH] fixed another unsigned integer overflow - -first fixed by google in android fork, -https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 - -(use a more generic overflow check method, also check second overflow instance.) - -https://security-tracker.debian.org/tracker/CVE-2020-0198 ---- - libexif/exif-data.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/libexif/exif-data.c b/libexif/exif-data.c -index 8b280d3..b495726 100644 ---- a/libexif/exif-data.c -+++ b/libexif/exif-data.c -@@ -47,6 +47,8 @@ - #undef JPEG_MARKER_APP1 - #define JPEG_MARKER_APP1 0xe1 - -+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) -+ - static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; - - struct _ExifDataPrivate -@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); - return; - } -- if (s > ds - o) { -+ if (CHECKOVERFLOW(o,ds,s)) { - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); - return; - } -@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, - } - - /* Read the number of entries */ -- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { -+ if (CHECKOVERFLOW(offset, ds, 2)) { - exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", -- "Tag data past end of buffer (%u > %u)", offset+2, ds); -+ "Tag data past end of buffer (%u+2 > %u)", offset, ds); - return; - } - n = exif_get_short (d + offset, data->priv->order); -@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, - offset += 2; - - /* Check if we have enough data. */ -- if (offset + 12 * n > ds) { -+ if (CHECKOVERFLOW(offset, ds, 12*n)) { - n = (ds - offset) / 12; - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Short data; only loading %hu entries...", n); diff --git a/SOURCES/CVE-2020-0452.patch b/SOURCES/CVE-2020-0452.patch deleted file mode 100644 index 4a499ff..0000000 --- a/SOURCES/CVE-2020-0452.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Thu, 5 Nov 2020 09:50:08 +0100 -Subject: [PATCH] fixed a incorrect overflow check that could be optimized - away. - -inspired by: -https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b - -https://source.android.com/security/bulletin/2020-11-01 - -CVE-2020-0452 ---- - NEWS | 3 ++- - libexif/exif-entry.c | 4 ++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c -index 3fc0ff9..4b866ce 100644 ---- a/libexif/exif-entry.c -+++ b/libexif/exif-entry.c -@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) - { - unsigned char *utf16; - -- /* Sanity check the size to prevent overflow */ -- if (e->size+sizeof(uint16_t)+1 < e->size) break; -+ /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */ -+ if (e->size >= 65536 - sizeof(uint16_t)*2) break; - - /* The tag may not be U+0000-terminated , so make a local - U+0000-terminated copy before converting it */ diff --git a/SOURCES/strip-gettext-nondeterminism b/SOURCES/strip-gettext-nondeterminism deleted file mode 100755 index a631757..0000000 --- a/SOURCES/strip-gettext-nondeterminism +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/perl -# -# This is a hacked version of gettext.pm from Debian's strip-nondeterminism project. -# It is a workaround for https://savannah.gnu.org/bugs/?49654 -# -# Copyright 2016 Reiner Herrmann -# Copyright 2016 Chris Lamb -# -# This file is part of strip-nondeterminism. -# -# strip-nondeterminism is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# strip-nondeterminism is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with strip-nondeterminism. If not, see . -# - -use Time::Piece; -use POSIX qw(strftime); - -use strict; -use warnings; - -=head1 DEPRECATION PLAN - -Situation unclear. Whilst #792687 is closed, many Gettext related files are -being normalised based on anecdotal viewings of build logs. - -=cut - -sub read_file($) { - my $filename = shift; - - local $/ = undef; - open(my $fh, '<', $filename) - or die "Can't open file $filename for reading: $!"; - binmode($fh); - my $buf = <$fh>; - close($fh); - - return $buf; -} - -sub normalize { - my ($mo_filename, %options) = @_; - - my $fmt; - - my $buf = read_file($mo_filename); - - my $magic = unpack("V", substr($buf, 0*4, 4)); - if ($magic == 0x950412DE) { - # little endian - $fmt = "V"; - } elsif ($magic == 0xDE120495) { - # big endian - $fmt = "N"; - } else { - # unknown format - return 0; - } - - my ($revision, $nstrings, $orig_to, $trans_to) - = unpack($fmt x 4, substr($buf, 1*4, 4*4)); - my $major = int($revision / 256); - my $minor = int($revision % 256); - return 0 if $major > 1; - - my $modified = 0; - for (my $i=0; $i < $nstrings; $i++) { - my $len = unpack($fmt, substr($buf, $orig_to + $i*8, 4)); - next if $len > 0; - - my $offset = unpack($fmt, substr($buf, $orig_to + $i*8 + 4, 4)); - my $trans_len = unpack($fmt, substr($buf, $trans_to + $i*8)); - my $trans_offset = unpack($fmt, substr($buf, $trans_to + $i*8 + 4)); - my $trans_msg = substr($buf, $trans_offset, $trans_len); - next unless $trans_msg =~ m/^POT-Creation-Date: (.*)/m; - - my $pot_date = $1; - my $time; - eval {$time = Time::Piece->strptime($pot_date, "%Y-%m-%d %H:%M%z");}; - next if $@; - - my $new_time = strftime("%Y-%m-%d %H:%M+0000", gmtime(0)); - $trans_msg - =~ s/\QPOT-Creation-Date: $pot_date\E/POT-Creation-Date: $new_time/; - print("Replaced POT-Creation-Date $pot_date with $new_time.\n"); - next if length($trans_msg) != $trans_len; - - $buf - = substr($buf, 0, $trans_offset) - . $trans_msg - . substr($buf, $trans_offset + $trans_len); - $modified = 1; - } - - if ($modified) { - open(my $fh, '>', $mo_filename) - or die "Can't open file $mo_filename for writing: $!"; - binmode($fh); - print $fh $buf; - close($fh); - } - - return $modified; -} - -print("Removing timestamp from " . $ARGV[0] . "...\n"); -normalize($ARGV[0]) diff --git a/SPECS/libexif.spec b/libexif.spec similarity index 70% rename from SPECS/libexif.spec rename to libexif.spec index 8347912..064747d 100644 --- a/SPECS/libexif.spec +++ b/libexif.spec @@ -1,31 +1,19 @@ Summary: Library for extracting extra information from image files Name: libexif -Version: 0.6.22 -Release: 5%{?dist} -Group: System Environment/Libraries -License: LGPLv2+ +Version: 0.6.24 +Release: 9%{?dist} +License: LGPL-2.1-or-later URL: https://libexif.github.io/ -%global tarball_version %(echo %{version} | sed -e 's|\\.|_|g') -Source0: https://github.com/libexif/libexif/archive/libexif-%{tarball_version}-release.tar.gz -Source1: strip-gettext-nondeterminism - -# https://bugzilla.redhat.com/show_bug.cgi?id=1847753 -# https://bugzilla.redhat.com/show_bug.cgi?id=1847761 -Patch0: CVE-2020-0181-CVE-2020-0198.patch - -# https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06 -Patch1: CVE-2020-0452.patch +Source0: https://github.com/libexif/libexif/releases/download/v%{version}/libexif-%{version}.tar.bz2 BuildRequires: autoconf BuildRequires: automake BuildRequires: doxygen BuildRequires: gettext-devel BuildRequires: libtool +BuildRequires: make BuildRequires: pkgconfig -# For strip-gettext-nondeterminism -BuildRequires: perl(Time::Piece) - %description Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library @@ -33,9 +21,7 @@ allows you to parse an EXIF file and read the data from those tags. %package devel Summary: Files needed for libexif application development -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: pkgconfig %description devel The libexif-devel package contains the libraries and header files @@ -43,68 +29,112 @@ for writing programs that use libexif. %package doc Summary: The EXIF Library API documentation -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} %description doc API Documentation for programmers wishing to use libexif in their programs. + %prep -%autosetup -n libexif-libexif-%{tarball_version}-release -p1 - -%build +%autosetup -p1 autoreconf -fiv -%configure --disable-static -make %{?_smp_mflags} - -%install -make DESTDIR=%{buildroot} install -find %{buildroot} -name "*.la" -exec rm -v {} \; -rm -rf %{buildroot}%{_datadir}/doc/libexif -cp -R doc/doxygen-output/libexif-api.html . iconv -f latin1 -t utf-8 < COPYING > COPYING.utf8; cp COPYING.utf8 COPYING iconv -f latin1 -t utf-8 < README > README.utf8; cp README.utf8 README -find %{buildroot} -type f -name '*.mo' -exec %{SOURCE1} {} \; + + +%build +%configure --disable-static +%make_build + + +%install +%make_install + +rm -rf %{buildroot}%{_datadir}/doc/libexif + %find_lang libexif-12 -%check -make check -%ldconfig_scriptlets +%check +%make_build check + %files -f libexif-12.lang -%doc COPYING README NEWS +%doc README NEWS +%license COPYING %{_libdir}/libexif.so.12* %files devel %{_includedir}/libexif -%{_libdir}/*.so +%{_libdir}/libexif.so %{_libdir}/pkgconfig/libexif.pc %files doc -%doc libexif-api.html +%doc doc/doxygen-output/libexif-api.html + %changelog -* Mon Dec 07 2020 Richard Hughes - 0.6.22-5 -- Fix CVE-2020-0452 -- Resolves: #1902593 +* Tue Oct 29 2024 Troy Dawson - 0.6.24-9 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu Jun 25 2020 Michael Catanzaro - 0.6.22-4 -- Add patch for CVE-2020-0181/CVE-2020-0198 -- Resolves: #1847753 -- Resolves: #1847761 +* Mon Jun 24 2024 Troy Dawson - 0.6.24-8 +- Bump release for June 2024 mass rebuild -* Thu Jun 04 2020 Michael Catanzaro - 0.6.22-3 -- Also remove timezone from the .mo files -- Related: #1841320 +* Thu Jan 25 2024 Fedora Release Engineering - 0.6.24-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Jun 03 2020 Michael Catanzaro - 0.6.22-2 -- Remove timestamps from the .mo files to avoid multilib conflicts -- Related: #1841320 +* Sun Jan 21 2024 Fedora Release Engineering - 0.6.24-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Mon Jun 01 2020 Michael Catanzaro - 0.6.22-1 -- Upgrade to 0.6.22 -- Resolves: #1841320 +* Thu Jul 20 2023 Fedora Release Engineering - 0.6.24-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 0.6.24-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 0.6.24-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.6.24-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 30 2021 Yaakov Selkowitz - 0.6.24-1 +- 0.6.24 (#2026626) + +* Wed Sep 15 2021 Rex Dieter - 0.6.23-1 +- 0.6.23 (#2003457) + +* Thu Jul 22 2021 Fedora Release Engineering - 0.6.22-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 0.6.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 09 2020 Michael Catanzaro - 0.6.22-3 +- Fix CVE-2020-0181, CVE-2020-0198, and CVE-2020-0452 + +* Tue Jul 28 2020 Fedora Release Engineering - 0.6.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon May 18 2020 Rex Dieter - 0.6.22-1 +- 0.6.22 +- .spec cleanup + +* Wed Jan 29 2020 Fedora Release Engineering - 0.6.21-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jul 25 2019 Fedora Release Engineering - 0.6.21-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Feb 12 2019 Yaakov Selkowitz - 0.6.21-19 +- Fix for CVE-2018-20030 (#1663879) + +* Fri Feb 01 2019 Fedora Release Engineering - 0.6.21-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.6.21-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Wed Feb 07 2018 Fedora Release Engineering - 0.6.21-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/sources b/sources new file mode 100644 index 0000000..f223210 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libexif-0.6.24.tar.bz2) = 35c9e7af2c3d44a638dc6bbe8f96962d41c0f3fe4a257494f7a73baefab9aba507477175289ccf9002a66cc16ca53d5d1f44d6fef9e014b27f687ecdc58f5111