From b1cf58a388a2e50046539ab680567ee15768bf75 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Sat, 8 Dec 2018 17:30:59 +0000 Subject: user/exiv2: fix CVE-2018-19535 --- user/exiv2/APKBUILD | 10 +- user/exiv2/CVE-2018-19535.patch | 239 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 247 insertions(+), 2 deletions(-) create mode 100644 user/exiv2/CVE-2018-19535.patch (limited to 'user/exiv2') diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD index d9ced3064..12c8c21c6 100644 --- a/user/exiv2/APKBUILD +++ b/user/exiv2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: A. Wilcox pkgname=exiv2 pkgver=0.26 -pkgrel=1 +pkgrel=2 pkgdesc="Exif, IPTC and XMP metadata library and tools" url="http://www.exiv2.org" arch="all" @@ -14,9 +14,14 @@ subpackages="$pkgname-dev $pkgname-doc" source="http://www.exiv2.org/builds/exiv2-$pkgver-trunk.tar.gz 0000-pthread-init-fix.patch 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch + CVE-2018-19535.patch " builddir="$srcdir"/exiv2-trunk +# secfixes: +# 0.26-r2: +# - CVE-2018-19535 + prepare() { cd "$builddir" default_prepare @@ -38,4 +43,5 @@ package() { sha512sums="d1e9cab886e279b045768dd9ec781f07d2d36d573119403d0b76dc571442173aae6972f86ec55c3ea53fb3ee9ca3571eb8fd63a2a6643a970852813e88634a86 exiv2-0.26-trunk.tar.gz 9721d359708c385be7c86a8f8a63de43b05b2578a29b4339861e82873aa81a98a7ee7252847b6c55529341187d40f552c488589b416fd9d1e27418925929c018 0000-pthread-init-fix.patch -485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch" +485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch +ac145a9b4df21e7f5fdd3099e6ae4c1e12ae2cdccc455d0262c5d38b8e07ce6437036a19264bd04b1cb1fffd01d89672044ca82fddd5e71dcd0d84d48356ab12 CVE-2018-19535.patch" diff --git a/user/exiv2/CVE-2018-19535.patch b/user/exiv2/CVE-2018-19535.patch new file mode 100644 index 000000000..ba9355012 --- /dev/null +++ b/user/exiv2/CVE-2018-19535.patch @@ -0,0 +1,239 @@ +From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= +Date: Sun, 2 Sep 2018 14:39:52 +0200 +Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile + +- Now it takes into account text.size_ when searching for a newline +char. +--- + src/pngchunk.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 58281b3ff..755872c94 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -629,11 +629,19 @@ namespace Exiv2 { + + + sp = (char*)text.pData_+1; ++ int pointerPos = 1; + + // Look for newline +- +- while (*sp != '\n') ++ while (*sp != '\n' && pointerPos < (text.size_ - 1)) ++ { + sp++; ++ pointerPos++; ++ } ++ ++ if (pointerPos == (text.size_ - 1)) ++ { ++ return DataBuf(); ++ } + + // Look for length + + +From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= +Date: Mon, 3 Sep 2018 08:51:08 +0200 +Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile + +--- + src/pngchunk.cpp | 36 +++++++++++++----------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 755872c94..9b3faf1aa 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -606,11 +606,6 @@ namespace Exiv2 { + DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt) + { + DataBuf info; +- register long i; +- register unsigned char *dp; +- const char *sp; +- unsigned int nibbles; +- long length; + unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, +@@ -627,8 +622,7 @@ namespace Exiv2 { + return info; + } + +- +- sp = (char*)text.pData_+1; ++ const char *sp = (char*)text.pData_+1; + int pointerPos = 1; + + // Look for newline +@@ -638,20 +632,30 @@ namespace Exiv2 { + pointerPos++; + } + ++ // Look for length ++ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) ++ { ++ sp++; ++ pointerPos++; ++ } ++ + if (pointerPos == (text.size_ - 1)) + { + return DataBuf(); + } + +- // Look for length ++ long length = (long) atol(sp); + +- while (*sp == '\0' || *sp == ' ' || *sp == '\n') ++ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) ++ { + sp++; ++ pointerPos++; ++ } + +- length = (long) atol(sp); +- +- while (*sp != ' ' && *sp != '\n') +- sp++; ++ if (pointerPos == (text.size_ - 1)) ++ { ++ return DataBuf(); ++ } + + // Allocate space + +@@ -674,10 +678,10 @@ namespace Exiv2 { + + // Copy profile, skipping white space and column 1 "=" signs + +- dp = (unsigned char*)info.pData_; +- nibbles = length * 2; ++ unsigned char *dp = (unsigned char*)info.pData_; ++ unsigned int nibbles = length * 2; + +- for (i = 0; i < (long) nibbles; i++) ++ for (long i = 0; i < (long) nibbles; i++) + { + while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') + { + +From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Mon, 10 Sep 2018 20:54:53 +0200 +Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile + +--- + src/pngchunk.cpp | 55 ++++++++++++++++++++++---------------------- + 1 file changed, 27 insertions(+), 28 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 9b3faf1aa..f81b560aa 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -607,11 +607,11 @@ namespace Exiv2 { + { + DataBuf info; + unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, +- 13,14,15}; ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, ++ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, ++ 13,14,15}; + if (text.size_ == 0) { + return DataBuf(); + } +@@ -622,52 +622,51 @@ namespace Exiv2 { + return info; + } + +- const char *sp = (char*)text.pData_+1; +- int pointerPos = 1; ++ const char *sp = (char*) text.pData_+1; // current byte (space pointer) ++ const char *eot = (char*) text.pData_+text.size_; // end of text + + // Look for newline +- while (*sp != '\n' && pointerPos < (text.size_ - 1)) ++ while (*sp != '\n' && sp < eot ) + { + sp++; +- pointerPos++; ++ if ( sp == eot ) ++ { ++ return DataBuf(); ++ } + } ++ sp++ ; // step over '\n' + + // Look for length +- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) ++ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot ) + { + sp++; +- pointerPos++; +- } +- +- if (pointerPos == (text.size_ - 1)) +- { +- return DataBuf(); ++ if (sp == eot ) ++ { ++ return DataBuf(); ++ } + } + +- long length = (long) atol(sp); +- +- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) ++ const char* startOfLength = sp; ++ while ( ('0' <= *sp && *sp <= '9') && sp < eot) + { + sp++; +- pointerPos++; ++ if (sp == eot ) ++ { ++ return DataBuf(); ++ } + } ++ sp++ ; // step over '\n' + +- if (pointerPos == (text.size_ - 1)) +- { +- return DataBuf(); +- } ++ long length = (long) atol(startOfLength); + + // Allocate space +- + if (length == 0) + { + #ifdef DEBUG + std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n"; + #endif + } +- + info.alloc(length); +- + if (info.size_ != length) + { + #ifdef DEBUG +@@ -678,7 +677,7 @@ namespace Exiv2 { + + // Copy profile, skipping white space and column 1 "=" signs + +- unsigned char *dp = (unsigned char*)info.pData_; ++ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer + unsigned int nibbles = length * 2; + + for (long i = 0; i < (long) nibbles; i++) + -- cgit v1.2.3-70-g09d2