Patch for CVE-2016-6328 (#1484032)

2017-12-16 23:42:04 -06:00 · 2017-12-16 23:42:04 -06:00 · a585cee8d6
commit a585cee8d6
parent 6295d08bb5
2 changed files with 68 additions and 1 deletions
--- a/41bd04234b104312f54d25822f68738ba8d7133d.patch
+++ b/41bd04234b104312f54d25822f68738ba8d7133d.patch
@ -0,0 +1,60 @@
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 2)
+					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
+				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 4)
+					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
+				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
+	return val;
+ }
--- a/libexif.spec
+++ b/libexif.spec
@ -1,11 +1,14 @@
 Summary:	Library for extracting extra information from image files
 Name:		libexif
 Version:	0.6.21
-Release:	13%{?dist}
+Release:	14%{?dist}
 Group:		System Environment/Libraries
 License:	LGPLv2+
 URL:		http://libexif.sourceforge.net/
 Source0:	http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
+# CVE-2016-6328, RHBZ#1366239
+Patch0:		41bd04234b104312f54d25822f68738ba8d7133d.patch
+
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	doxygen
@ -38,6 +41,7 @@ API Documentation for programmers wishing to use libexif in their programs.

 %prep
 %setup -q
+%patch0 -p1

 %build
 autoreconf -fiv
@ -73,6 +77,9 @@ make check
 %doc libexif-api.html

 %changelog
+* Sun Dec 17 2017 Yaakov Selkowitz <yselkowi@redhat.com> - 0.6.21-14
+- Patch for CVE-2016-6328 (#1484032)
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.21-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild