Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libexif.git#3a936dfbb3d20ecb81e2ebcfe6328ff6c18af27d
This commit is contained in:
parent
c2575a806c
commit
38bbe202fe
|
@ -0,0 +1,58 @@
|
|||
From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Meissner <marcus@jet.franken.de>
|
||||
Date: Mon, 8 Jun 2020 17:27:06 +0200
|
||||
Subject: [PATCH] fixed another unsigned integer overflow
|
||||
|
||||
first fixed by google in android fork,
|
||||
https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
|
||||
|
||||
(use a more generic overflow check method, also check second overflow instance.)
|
||||
|
||||
https://security-tracker.debian.org/tracker/CVE-2020-0198
|
||||
---
|
||||
libexif/exif-data.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
|
||||
index 8b280d3..b495726 100644
|
||||
--- a/libexif/exif-data.c
|
||||
+++ b/libexif/exif-data.c
|
||||
@@ -47,6 +47,8 @@
|
||||
#undef JPEG_MARKER_APP1
|
||||
#define JPEG_MARKER_APP1 0xe1
|
||||
|
||||
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
|
||||
+
|
||||
static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
|
||||
|
||||
struct _ExifDataPrivate
|
||||
@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
|
||||
return;
|
||||
}
|
||||
- if (s > ds - o) {
|
||||
+ if (CHECKOVERFLOW(o,ds,s)) {
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
|
||||
return;
|
||||
}
|
||||
@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
|
||||
}
|
||||
|
||||
/* Read the number of entries */
|
||||
- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
|
||||
+ if (CHECKOVERFLOW(offset, ds, 2)) {
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
|
||||
- "Tag data past end of buffer (%u > %u)", offset+2, ds);
|
||||
+ "Tag data past end of buffer (%u+2 > %u)", offset, ds);
|
||||
return;
|
||||
}
|
||||
n = exif_get_short (d + offset, data->priv->order);
|
||||
@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
|
||||
offset += 2;
|
||||
|
||||
/* Check if we have enough data. */
|
||||
- if (offset + 12 * n > ds) {
|
||||
+ if (CHECKOVERFLOW(offset, ds, 12*n)) {
|
||||
n = (ds - offset) / 12;
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
"Short data; only loading %hu entries...", n);
|
|
@ -0,0 +1,32 @@
|
|||
From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Meissner <marcus@jet.franken.de>
|
||||
Date: Thu, 5 Nov 2020 09:50:08 +0100
|
||||
Subject: [PATCH] fixed a incorrect overflow check that could be optimized
|
||||
away.
|
||||
|
||||
inspired by:
|
||||
https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
|
||||
|
||||
https://source.android.com/security/bulletin/2020-11-01
|
||||
|
||||
CVE-2020-0452
|
||||
---
|
||||
NEWS | 3 ++-
|
||||
libexif/exif-entry.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
|
||||
index 3fc0ff9..4b866ce 100644
|
||||
--- a/libexif/exif-entry.c
|
||||
+++ b/libexif/exif-entry.c
|
||||
@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
|
||||
{
|
||||
unsigned char *utf16;
|
||||
|
||||
- /* Sanity check the size to prevent overflow */
|
||||
- if (e->size+sizeof(uint16_t)+1 < e->size) break;
|
||||
+ /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
|
||||
+ if (e->size >= 65536 - sizeof(uint16_t)*2) break;
|
||||
|
||||
/* The tag may not be U+0000-terminated , so make a local
|
||||
U+0000-terminated copy before converting it */
|
10
libexif.spec
10
libexif.spec
|
@ -1,12 +1,17 @@
|
|||
Summary: Library for extracting extra information from image files
|
||||
Name: libexif
|
||||
Version: 0.6.22
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: LGPLv2+
|
||||
URL: https://libexif.github.io/
|
||||
%global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
|
||||
Source0: https://github.com/libexif/libexif/archive/libexif-%{tarball_version}-release.tar.gz
|
||||
|
||||
# https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
|
||||
Patch0: CVE-2020-0181-CVE-2020-0198.patch
|
||||
# https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06
|
||||
Patch1: CVE-2020-0452.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: doxygen
|
||||
|
@ -77,6 +82,9 @@ make check
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 09 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.6.22-3
|
||||
- Fix CVE-2020-0181, CVE-2020-0198, and CVE-2020-0452
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.22-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue