rpms/libexif
5
0
Fork 0
Code Issues Pull Requests Releases Activity

0.6.22

Browse Source 
.spec cleanup
This commit is contained in:
Rex Dieter 2020-05-18 11:42:09 -05:00
parent 3dd47657ce
commit fa2bd4ab15
5 changed files with 26 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
41bd04234b104312f54d25822f68738ba8d7133d.patch
View File

@ -1,60 +0,0 @@
From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:44:44 +0200
Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
makernote entries.
This should fix:
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
---
libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index d03d159..ea0429a 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
case EXIF_FORMAT_SHORT:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 2)
+ break;
vs = exif_get_short (data, entry->order);
snprintf (val+len, maxlen-len, "%i ", vs);
len = strlen(val);
data += 2;
+ sizeleft -= 2;
}
}
break;
case EXIF_FORMAT_LONG:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 4)
+ break;
vl = exif_get_long (data, entry->order);
snprintf (val+len, maxlen-len, "%li", (long int) vl);
len = strlen(val);
data += 4;
+ sizeleft -= 4;
}
}
break;
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
break;
}
- return (val);
+ return val;
}

25
5d28011c40ec86cf52cffad541093d37c263898a.patch
View File

@ -1,25 +0,0 @@
From 5d28011c40ec86cf52cffad541093d37c263898a Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 20 Apr 2018 18:05:19 +0200
Subject: [PATCH] Reduce maximum recursion depth in exif_data_load_data_content
This only needs to be a small, single digit integer for normal files,
and reducing the maximum closer to this reduces the time and space
needed to detect pathological cases.
---
libexif/exif-data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 91f4c33..04cdda2 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -378,7 +378,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
- if (recursion_depth > 30) {
+ if (recursion_depth > 12) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
"Deep recursion detected!");
return;

114
6aa11df549114ebda520dde4cdaea2f9357b2c89.patch
View File

@ -1,114 +0,0 @@
From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 12 Oct 2018 16:01:45 +0200
Subject: [PATCH] Improve deep recursion detection in
exif_data_load_data_content.
The existing detection was still vulnerable to pathological cases
causing DoS by wasting CPU. The new algorithm takes the number of tags
into account to make it harder to abuse by cases using shallow recursion
but with a very large number of tags. This improves on commit 5d28011c
which wasn't sufficient to counter this kind of case.
The limitation in the previous fix was discovered by Laurent Delosieres,
Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
the identifier CVE-2018-20030.
---
libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++--------
1 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index e35403d..a6f9c94 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -35,6 +35,7 @@
#include <libexif/olympus/exif-mnote-data-olympus.h>
#include <libexif/pentax/exif-mnote-data-pentax.h>
+#include <math.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \
break; \
}
+/*! Calculate the recursion cost added by one level of IFD loading.
+ *
+ * The work performed is related to the cost in the exponential relation
+ * work=1.1**cost
+ */
+static unsigned int
+level_cost(unsigned int n)
+{
+ static const double log_1_1 = 0.09531017980432493;
+
+ /* Adding 0.1 protects against the case where n==1 */
+ return ceil(log(n + 0.1)/log_1_1);
+}
+
/*! Load data for an IFD.
*
* \param[in,out] data #ExifData
@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \
* \param[in] d pointer to buffer containing raw IFD data
* \param[in] ds size of raw data in buffer at \c d
* \param[in] offset offset into buffer at \c d at which IFD starts
- * \param[in] recursion_depth number of times this function has been
- * recursively called without returning
+ * \param[in] recursion_cost factor indicating how expensive this recursive
+ * call could be
*/
static void
exif_data_load_data_content (ExifData *data, ExifIfd ifd,
const unsigned char *d,
- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
{
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
ExifShort n;
@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
- if (recursion_depth > 12) {
+ if (recursion_cost > 170) {
+ /*
+ * recursion_cost is a logarithmic-scale indicator of how expensive this
+ * recursive call might end up being. It is an indicator of the depth of
+ * recursion as well as the potential for worst-case future recursive
+ * calls. Since it's difficult to tell ahead of time how often recursion
+ * will occur, this assumes the worst by assuming every tag could end up
+ * causing recursion.
+ * The value of 170 was chosen to limit typical EXIF structures to a
+ * recursive depth of about 6, but pathological ones (those with very
+ * many tags) to only 2.
+ */
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Deep recursion detected!");
+ "Deep/expensive recursion detected!");
return;
}
@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
switch (tag) {
case EXIF_TAG_EXIF_IFD_POINTER:
CHECK_REC (EXIF_IFD_EXIF);
- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_GPS_INFO_IFD_POINTER:
CHECK_REC (EXIF_IFD_GPS);
- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
CHECK_REC (EXIF_IFD_INTEROPERABILITY);
- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
thumbnail_offset = o;

30
libexif-0.5.12-buffer-overflow.patch
View File

@ -1,30 +0,0 @@
--- libexif-0.5.12/libexif/exif-data.c.buffer-overflow 2005-03-08 05:24:31.000000000 -0500
+++ libexif-0.5.12/libexif/exif-data.c 2005-03-08 05:26:30.000000000 -0500
@@ -551,7 +551,7 @@
#endif
/* Byte order (offset 6, length 2) */
- if (size < 12)
+ if (size < 14)
return;
if (!memcmp (d + 6, "II", 2))
data->priv->order = EXIF_BYTE_ORDER_INTEL;
@@ -570,12 +570,18 @@
printf ("IFD 0 at %i.\n", (int) offset);
#endif
+ if (size < 6 + 4 + offset)
+ return;
+
/* Parse the actual exif data (offset 14) */
exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
size - 6, offset);
/* IFD 1 offset */
n = exif_get_short (d + 6 + offset, data->priv->order);
+ if (size < 6 + offset + 2 + 12 * n + 4)
+ return;
+
offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
if (offset) {
#ifdef DEBUG

45
libexif.spec
View File

@ -1,15 +1,11 @@
Summary: Library for extracting extra information from image files Summary: Library for extracting extra information from image files
Name: libexif Name: libexif
Version: 0.6.21 Version: 0.6.22
Release: 21%{?dist} Release: 1%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://libexif.github.io/ URL: https://libexif.github.io/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2 %global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
# CVE-2016-6328, RHBZ#1366239 Source0: https://github.com/libexif/libexif/archive/libexif-%{tarball_version}-release.tar.gz
Patch0: 41bd04234b104312f54d25822f68738ba8d7133d.patch
# CVE-2018-20030, RHBZ#
Patch1: 5d28011c40ec86cf52cffad541093d37c263898a.patch
Patch2: 6aa11df549114ebda520dde4cdaea2f9357b2c89.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -26,8 +22,6 @@ allows you to parse an EXIF file and read the data from those tags.
%package devel %package devel
Summary: Files needed for libexif application development Summary: Files needed for libexif application development
Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description devel %description devel
The libexif-devel package contains the libraries and header files The libexif-devel package contains the libraries and header files
for writing programs that use libexif. for writing programs that use libexif.
@ -35,21 +29,28 @@ for writing programs that use libexif.
%package doc %package doc
Summary: The EXIF Library API documentation Summary: The EXIF Library API documentation
Requires: %{name}%{?_isa} = %{version}-%{release} Requires: %{name}%{?_isa} = %{version}-%{release}
%description doc %description doc
API Documentation for programmers wishing to use libexif in their programs. API Documentation for programmers wishing to use libexif in their programs.
%prep %prep
%autosetup -p1 %autosetup -n libexif-libexif-%{tarball_version}-release -p1
%build %build
autoreconf -fiv autoreconf -fiv
%configure --disable-static
make %{?_smp_mflags} %configure \
--disable-static
%make_build
%install %install
make DESTDIR=%{buildroot} install %make_install
find %{buildroot} -name "*.la" -exec rm -v {} \;
rm -fv %{buildroot}%{_libdir}/lib*.la
rm -rf %{buildroot}%{_datadir}/doc/libexif rm -rf %{buildroot}%{_datadir}/doc/libexif
cp -R doc/doxygen-output/libexif-api.html . cp -R doc/doxygen-output/libexif-api.html .
iconv -f latin1 -t utf-8 < COPYING > COPYING.utf8; cp COPYING.utf8 COPYING iconv -f latin1 -t utf-8 < COPYING > COPYING.utf8; cp COPYING.utf8 COPYING
@ -62,18 +63,24 @@ make check
%ldconfig_scriptlets %ldconfig_scriptlets
%files -f libexif-12.lang %files -f libexif-12.lang
%doc COPYING README NEWS %doc README NEWS
%{_libdir}/libexif.so.* %license COPYING
%{_libdir}/libexif.so.12*
%files devel %files devel
%{_includedir}/libexif %{_includedir}/libexif
%{_libdir}/*.so %{_libdir}/libexif.so
%{_libdir}/pkgconfig/libexif.pc %{_libdir}/pkgconfig/libexif.pc
%files doc %files doc
%doc libexif-api.html %doc libexif-api.html
%changelog %changelog
* Mon May 18 2020 Rex Dieter <rdieter@fedoraproject.org> - 0.6.22-1
- 0.6.22
- .spec cleanup
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.21-21 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.21-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild