From 38bbe202fed971eac922c309ac783b18417dec8f Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Mon, 9 Nov 2020 16:09:58 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libexif.git#3a936dfbb3d20ecb81e2ebcfe6328ff6c18af27d
---
 CVE-2020-0181-CVE-2020-0198.patch | 58 +++++++++++++++++++++++++++++++
 CVE-2020-0452.patch               | 32 +++++++++++++++++
 libexif.spec                      | 10 +++++-
 3 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-0181-CVE-2020-0198.patch
 create mode 100644 CVE-2020-0452.patch

diff --git a/CVE-2020-0181-CVE-2020-0198.patch b/CVE-2020-0181-CVE-2020-0198.patch
new file mode 100644
index 0000000..e0358c2
--- /dev/null
+++ b/CVE-2020-0181-CVE-2020-0198.patch
@@ -0,0 +1,58 @@
+From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Mon, 8 Jun 2020 17:27:06 +0200
+Subject: [PATCH] fixed another unsigned integer overflow
+
+first fixed by google in android fork,
+https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
+
+(use a more generic overflow check method, also check second overflow instance.)
+
+https://security-tracker.debian.org/tracker/CVE-2020-0198
+---
+ libexif/exif-data.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 8b280d3..b495726 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+ 
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+ 		return;
+ 	}
+-	if (s > ds - o) {
++	if (CHECKOVERFLOW(o,ds,s)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	}
+ 
+ 	/* Read the number of entries */
+-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
++	if (CHECKOVERFLOW(offset, ds, 2)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
++			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
+ 		return;
+ 	}
+ 	n = exif_get_short (d + offset, data->priv->order);
+@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	offset += 2;
+ 
+ 	/* Check if we have enough data. */
+-	if (offset + 12 * n > ds) {
++	if (CHECKOVERFLOW(offset, ds, 12*n)) {
+ 		n = (ds - offset) / 12;
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 				  "Short data; only loading %hu entries...", n);
diff --git a/CVE-2020-0452.patch b/CVE-2020-0452.patch
new file mode 100644
index 0000000..4a499ff
--- /dev/null
+++ b/CVE-2020-0452.patch
@@ -0,0 +1,32 @@
+From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Thu, 5 Nov 2020 09:50:08 +0100
+Subject: [PATCH] fixed a incorrect overflow check that could be optimized
+ away.
+
+inspired by:
+https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
+
+https://source.android.com/security/bulletin/2020-11-01
+
+CVE-2020-0452
+---
+ NEWS                 | 3 ++-
+ libexif/exif-entry.c | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 3fc0ff9..4b866ce 100644
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 	{
+ 		unsigned char *utf16;
+ 
+-		/* Sanity check the size to prevent overflow */
+-		if (e->size+sizeof(uint16_t)+1 < e->size) break;
++		/* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
++		if (e->size >= 65536 - sizeof(uint16_t)*2) break;
+ 
+ 		/* The tag may not be U+0000-terminated , so make a local
+ 		   U+0000-terminated copy before converting it */
diff --git a/libexif.spec b/libexif.spec
index 91e8f2c..977a024 100644
--- a/libexif.spec
+++ b/libexif.spec
@@ -1,12 +1,17 @@
 Summary:	Library for extracting extra information from image files
 Name:		libexif
 Version:	0.6.22
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	LGPLv2+
 URL:		https://libexif.github.io/
 %global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
 Source0:	https://github.com/libexif/libexif/archive/libexif-%{tarball_version}-release.tar.gz
 
+# https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
+Patch0:         CVE-2020-0181-CVE-2020-0198.patch
+# https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06
+Patch1:         CVE-2020-0452.patch
+
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	doxygen
@@ -77,6 +82,9 @@ make check
 
 
 %changelog
+* Mon Nov 09 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.6.22-3
+- Fix CVE-2020-0181, CVE-2020-0198, and CVE-2020-0452
+
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.22-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild