From 6c18e8f7dd58cb92c71cb4ea6ce31e5939ea4ff7 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 3 Mar 2020 14:47:07 +0000 Subject: user/exiv2: patch CVE-2019-20421 (#233) --- user/exiv2/APKBUILD | 19 +++++-- user/exiv2/CVE-2019-20421.patch | 116 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+), 4 deletions(-) create mode 100644 user/exiv2/CVE-2019-20421.patch (limited to 'user/exiv2') diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD index f1ca3f81f..fb710b602 100644 --- a/user/exiv2/APKBUILD +++ b/user/exiv2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox pkgname=exiv2 pkgver=0.27.2 -pkgrel=1 +pkgrel=2 pkgdesc="Exif, IPTC and XMP metadata library and tools" url="https://www.exiv2.org/" arch="all" @@ -12,8 +12,11 @@ checkdepends="python3 libxml2 cmd:which" makedepends="$depends_dev bash cmake" subpackages="$pkgname-dev $pkgname-doc" source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz - https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019 - CVE-2019-17402.patch" + https://dev.sick.bike/dist/exiv2-$pkgver-POC-file_issue_1019 + https://dev.sick.bike/dist/exiv2-$pkgver-Jp2Image_readMetadata_loop.poc + CVE-2019-17402.patch + CVE-2019-20421.patch + " builddir="$srcdir/$pkgname-$pkgver-Source" # secfixes: @@ -86,6 +89,8 @@ builddir="$srcdir/$pkgname-$pkgver-Source" # - CVE-2019-13114 # 0.27.2-r1: # - CVE-2019-17402 +# 0.27.2-r2: +# - CVE-2019-20421 prepare() { default_prepare @@ -93,6 +98,10 @@ prepare() { # Remove #1019 POC after >= 0.27.2 mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \ test/data/POC-file_issue_1019 + + # Ditto + mv "$srcdir/$pkgname-$pkgver-Jp2Image_readMetadata_loop.poc" \ + test/data/Jp2Image_readMetadata_loop.poc } build() { @@ -112,4 +121,6 @@ package() { sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9 exiv2-0.27.2-POC-file_issue_1019 -623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch" +d2c0f59e9e2daf00066b0ad73253bb7bb09b3319606813f16478ef5717751e4cbb93d12f5c9339dae2965dcf6a63138bdb4205b698aeab57a75f97ddf458d4f7 exiv2-0.27.2-Jp2Image_readMetadata_loop.poc +623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd CVE-2019-17402.patch +c819f06a194b8465c66ccd91b8373cb2a359e59bab7583a8abb873c2001efe6188ac8fa4717c6382d2f2396d25e79e7b397c5ebf000d35c4a7dae547db7bc77b CVE-2019-20421.patch" diff --git a/user/exiv2/CVE-2019-20421.patch b/user/exiv2/CVE-2019-20421.patch new file mode 100644 index 000000000..bdc5449f2 --- /dev/null +++ b/user/exiv2/CVE-2019-20421.patch @@ -0,0 +1,116 @@ +From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001 +From: clanmills +Date: Tue, 1 Oct 2019 17:39:44 +0100 +Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop + +--- + src/jp2image.cpp | 25 +++++++++++++++---- + tests/bugfixes/github/test_CVE_2017_17725.py | 4 +-- + tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++ + 4 files changed, 35 insertions(+), 7 deletions(-) + create mode 100755 test/data/Jp2Image_readMetadata_loop.poc + create mode 100644 tests/bugfixes/github/test_issue_1011.py + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index d5cd1340a..0de088d62 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -18,10 +18,6 @@ + * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA. + */ + +-/* +- File: jp2image.cpp +-*/ +- + // ***************************************************************************** + + // included header files +@@ -197,6 +193,16 @@ namespace Exiv2 + return result; + } + ++static void boxes_check(size_t b,size_t m) ++{ ++ if ( b > m ) { ++#ifdef EXIV2_DEBUG_MESSAGES ++ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl; ++#endif ++ throw Error(kerCorruptedMetadata); ++ } ++} ++ + void Jp2Image::readMetadata() + { + #ifdef EXIV2_DEBUG_MESSAGES +@@ -219,9 +225,12 @@ namespace Exiv2 + Jp2BoxHeader subBox = {0,0}; + Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0}; + Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; ++ size_t boxes = 0 ; ++ size_t boxem = 1000 ; // boxes max + + while (io_->read((byte*)&box, sizeof(box)) == sizeof(box)) + { ++ boxes_check(boxes++,boxem ); + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); +@@ -251,8 +260,12 @@ namespace Exiv2 + + while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length ) + { ++ boxes_check(boxes++, boxem) ; + subBox.length = getLong((byte*)&subBox.length, bigEndian); + subBox.type = getLong((byte*)&subBox.type, bigEndian); ++ if (subBox.length > io_->size() ) { ++ throw Error(kerCorruptedMetadata); ++ } + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Exiv2::Jp2Image::readMetadata: " + << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl; +@@ -308,7 +321,9 @@ namespace Exiv2 + } + + io_->seek(restore,BasicIo::beg); +- io_->seek(subBox.length, Exiv2::BasicIo::cur); ++ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) { ++ throw Error(kerCorruptedMetadata); ++ } + restore = io_->tell(); + } + break; +diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py +index 1127b9806..670a75d8d 100644 +--- a/tests/bugfixes/github/test_CVE_2017_17725.py ++++ b/tests/bugfixes/github/test_CVE_2017_17725.py +@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): + filename = "$data_path/poc_2017-12-12_issue188" + commands = ["$exiv2 " + filename] + stdout = [""] +- stderr = ["""$exiv2_overflow_exception_message """ + filename + """: +-$addition_overflow_message ++ stderr = ["""$exiv2_exception_message """ + filename + """: ++$kerCorruptedMetadata + """] + retval = [1] +diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py +new file mode 100644 +index 000000000..415861188 +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_1011.py +@@ -0,0 +1,13 @@ ++# -*- coding: utf-8 -*- ++ ++from system_tests import CaseMeta, path ++ ++class Test_issue_1011(metaclass=CaseMeta): ++ ++ filename = path("$data_path/Jp2Image_readMetadata_loop.poc") ++ commands = ["$exiv2 " + filename] ++ stdout = [""] ++ stderr = ["""$exiv2_exception_message """ + filename + """: ++$kerCorruptedMetadata ++"""] ++ retval = [1] +\ No newline at end of file -- cgit v1.2.3-70-g09d2