summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-02 18:18:03 -0600
committerMax Rees <maxcrees@me.com>2020-03-09 21:27:43 -0500
commit966502dcaa571ab5ff71343a4f297e2ab27693a4 (patch)
treed63b62e24ade23d82704cfc67918394b8c46ccaf
parentce04e9e76552231fd2940d9e02536ebecda3d4a4 (diff)
downloadpackages-966502dcaa571ab5ff71343a4f297e2ab27693a4.tar.gz
packages-966502dcaa571ab5ff71343a4f297e2ab27693a4.tar.bz2
packages-966502dcaa571ab5ff71343a4f297e2ab27693a4.tar.xz
packages-966502dcaa571ab5ff71343a4f297e2ab27693a4.zip
user/libexif: patch CVE-2016-6328 and CVE-2019-9278
-rw-r--r--user/libexif/APKBUILD11
-rw-r--r--user/libexif/CVE-2016-6328.patch60
-rw-r--r--user/libexif/CVE-2019-9278.patch85
3 files changed, 154 insertions, 2 deletions
diff --git a/user/libexif/APKBUILD b/user/libexif/APKBUILD
index de51ae7b0..06e1e832a 100644
--- a/user/libexif/APKBUILD
+++ b/user/libexif/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer:
pkgname=libexif
pkgver=0.6.21
-pkgrel=3
+pkgrel=4
pkgdesc="Library to parse EXIF metadata"
url="https://sourceforge.net/projects/libexif"
arch="all"
@@ -10,14 +10,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
depends=""
makedepends=""
source="https://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.bz2
+ CVE-2016-6328.patch
CVE-2017-7544.patch
CVE-2018-20030.patch
+ CVE-2019-9278.patch
"
# secfixes:
# 0.6.21-r3:
# - CVE-2017-7544
# - CVE-2018-20030
+# 0.6.21-r4:
+# - CVE-2016-6328
+# - CVE-2019-9278
prepare() {
default_prepare
@@ -41,5 +46,7 @@ package() {
}
sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 libexif-0.6.21.tar.bz2
+c0d4c74207993efc373615ef2c797d720162a2ee6fd7ad026edf2ced4198d9b1165b88790c2af3194f6bb7c2de88d4672c041c2cff8a82c8914700633332b8c5 CVE-2016-6328.patch
d529c6c5bd26dc21c0946702574184e1f61c2bfd4fb95b41e314f486a0dd55571963ff2cad566d2fb0804de3c0799bcd956c15a3dc10a520ce207728edad4e2d CVE-2017-7544.patch
-0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch"
+0d6123bd275ace338ad9cebb31a2e714de0141b91860f07394b281686a5393566c3f4159679d4ba689ae7ea69ae2e412b158c3deb451c40c210b5817f6888bbc CVE-2018-20030.patch
+c30c03fefea94d175b94c9f0c4d60cbb3aa0ad78b0d29008975fbbb15c17f2907a16fd50970e5fa18d533d0ce291a5ee9b62934210cb40b0f463693460607738 CVE-2019-9278.patch"
diff --git a/user/libexif/CVE-2016-6328.patch b/user/libexif/CVE-2016-6328.patch
new file mode 100644
index 000000000..0568f27d2
--- /dev/null
+++ b/user/libexif/CVE-2016-6328.patch
@@ -0,0 +1,60 @@
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ case EXIF_FORMAT_SHORT:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 2)
++ break;
+ vs = exif_get_short (data, entry->order);
+ snprintf (val+len, maxlen-len, "%i ", vs);
+ len = strlen(val);
+ data += 2;
++ sizeleft -= 2;
+ }
+ }
+ break;
+ case EXIF_FORMAT_LONG:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 4)
++ break;
+ vl = exif_get_long (data, entry->order);
+ snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ len = strlen(val);
+ data += 4;
++ sizeleft -= 4;
+ }
+ }
+ break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ break;
+ }
+
+- return (val);
++ return val;
+ }
diff --git a/user/libexif/CVE-2019-9278.patch b/user/libexif/CVE-2019-9278.patch
new file mode 100644
index 000000000..bd15e8d13
--- /dev/null
+++ b/user/libexif/CVE-2019-9278.patch
@@ -0,0 +1,85 @@
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+---
+ libexif/exif-data.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index a6f9c94..6332cd1 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+ doff = offset + 8;
+
+ /* Sanity checks */
+- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++ if (doff >= size) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Tag data past end of buffer (%u > %u)", doff+s, size);
++ "Tag starts past end of buffer (%u > %u)", doff, size);
++ return 0;
++ }
++
++ if (s > size - doff) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ return 0;
+ }
+
+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ unsigned int ds, ExifLong o, ExifLong s)
+ {
+ /* Sanity checks */
+- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Bogus thumbnail offset (%u) or size (%u).",
+- o, s);
++ if (o >= ds) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++ return;
++ }
++ if (s > ds - o) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ return;
+ }
+-
+ if (data->data)
+ exif_mem_free (data->priv->mem, data->data);
+ if (!(data->data = exif_data_alloc (data, s))) {
+@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 0 at %i.", (int) offset);
+
+- /* Sanity check the offset, being careful about overflow */
++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ if (offset > ds || offset + 6 + 2 > ds)
+ return;
+
+@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+
+ /* IFD 1 offset */
+ n = exif_get_short (d + 6 + offset, data->priv->order);
++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ if (offset + 6 + 2 + 12 * n + 4 > ds)
+ return;
+
+@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 1 at %i.", (int) offset);
+
+- /* Sanity check. */
+- if (offset > ds || offset + 6 > ds) {
++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++ if (offset > ds - 6) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifData", "Bogus offset of IFD1.");
+ } else {