Fix CVE-2007-4168

libexif-cve-2007-4168.patch

@@ -0,0 +1,21 @@
+--- libexif-0.6.13/libexif/exif-data.c.cve-2007-4168	2005-08-22 16:32:02.000000000 -0400
++++ libexif-0.6.13/libexif/exif-data.c	2007-06-12 12:14:35.000000000 -0400
+@@ -174,9 +174,15 @@ exif_data_load_data_entry (ExifData *dat
+ 	 * Size? If bigger than 4 bytes, the actual data is not
+ 	 * in the entry but somewhere else (offset).
+ 	 */
+-	s = exif_format_get_size (entry->format) * entry->components;
+-	if (!s)
+-		return 0;
++        /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff }
++         *   -> { 0x000000000 .. 0x7fffffff8 } */
++        s = exif_format_get_size(entry->format) * entry->components;
++        if (s < entry->components) {
++                return 0;
++        }
++        if (0 == s)
++                return 0;
++
+ 	if (s > 4)
+ 		doff = exif_get_long (d + offset + 8, data->priv->order);
+ 	else

libexif.spec

@@ -1,12 +1,13 @@
 Summary: Library for extracting extra information from image files
 Name: libexif
 Version: 0.6.15
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: System Environment/Libraries
 License: LGPL
 URL: http://libexif.sourceforge.net/
 Source0: libexif-%{version}.tar.bz2 
 Source1: libexif-docs.tar.gz
+Patch0: libexif-cve-2007-4168.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 
 BuildRequires: doxygen
 
@@ -27,6 +28,7 @@ for writing programs that use libexif.
 
 %prep
 %setup -q
+%patch0 -p1 -b .cve-2007-4168
 # to avoid multilib conflicts, we toss in pre-generated docs
 # and neuter make all in the docs dir
 tar xzf %{SOURCE1}
@@ -65,6 +67,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/pkgconfig/libexif.pc
 
 %changelog
+* Wed Jun 13 2007 Matthias Clasen <mclasen@redhat.com> - 0.6.15-2
+- Add patch for CVE-2007-4168. Fix bug #243892
+
 * Wed May 30 2007 Matthias Clasen <mclasen@redhat.com> - 0.6.15-1
 - Update to 0.6.15
 - Drop obsolete patch