Browse Source
gnu: libexif: Update to 0.6.22 [security fixes].
gnu: libexif: Update to 0.6.22 [security fixes].
This fixes CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-0093, CVE-2019-9278, and CVE-2020-12767. * gnu/packages/patches/libexif-CVE-2016-6328.patch, gnu/packages/patches/libexif-CVE-2017-7544.patch, gnu/packages/patches/libexif-CVE-2018-20030.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/photo.scm (libexif): Update to 0.6.22. [source](uri): Adjust for upstream GitHub migration.wip-hurd-vm
Marius Bakke
2 years ago
committed by
Marius Bakke
Marius Bakke
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
5 changed files with 7 additions and 231 deletions
-
3gnu/local.mk
-
72gnu/packages/patches/libexif-CVE-2016-6328.patch
-
29gnu/packages/patches/libexif-CVE-2017-7544.patch
-
120gnu/packages/patches/libexif-CVE-2018-20030.patch
-
14gnu/packages/photo.scm
@ -1,72 +0,0 @@ |
|||
Fix CVE-2016-6328: |
|||
|
|||
https://bugzilla.redhat.com/show_bug.cgi?id=1366239 |
|||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328 |
|||
|
|||
Patch copied from upstream source repository: |
|||
|
|||
https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d |
|||
|
|||
From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 |
|||
From: Marcus Meissner <marcus@jet.franken.de> |
|||
Date: Tue, 25 Jul 2017 23:44:44 +0200 |
|||
Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax |
|||
makernote entries. |
|||
|
|||
This should fix: |
|||
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 |
|||
---
|
|||
libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- |
|||
1 file changed, 13 insertions(+), 3 deletions(-) |
|||
|
|||
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
|
|||
index d03d159..ea0429a 100644
|
|||
--- a/libexif/pentax/mnote-pentax-entry.c
|
|||
+++ b/libexif/pentax/mnote-pentax-entry.c
|
|||
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
|
|||
case EXIF_FORMAT_SHORT: |
|||
{ |
|||
const unsigned char *data = entry->data; |
|||
- size_t k, len = strlen(val);
|
|||
+ size_t k, len = strlen(val), sizeleft;
|
|||
+
|
|||
+ sizeleft = entry->size;
|
|||
for(k=0; k<entry->components; k++) { |
|||
+ if (sizeleft < 2)
|
|||
+ break;
|
|||
vs = exif_get_short (data, entry->order); |
|||
snprintf (val+len, maxlen-len, "%i ", vs); |
|||
len = strlen(val); |
|||
data += 2; |
|||
+ sizeleft -= 2;
|
|||
} |
|||
} |
|||
break; |
|||
case EXIF_FORMAT_LONG: |
|||
{ |
|||
const unsigned char *data = entry->data; |
|||
- size_t k, len = strlen(val);
|
|||
+ size_t k, len = strlen(val), sizeleft;
|
|||
+
|
|||
+ sizeleft = entry->size;
|
|||
for(k=0; k<entry->components; k++) { |
|||
+ if (sizeleft < 4)
|
|||
+ break;
|
|||
vl = exif_get_long (data, entry->order); |
|||
snprintf (val+len, maxlen-len, "%li", (long int) vl); |
|||
len = strlen(val); |
|||
data += 4; |
|||
+ sizeleft -= 4;
|
|||
} |
|||
} |
|||
break; |
|||
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
|
|||
break; |
|||
} |
|||
|
|||
- return (val);
|
|||
+ return val;
|
|||
} |
|||
--
|
|||
2.16.0 |
|||
|
|||
@ -1,29 +0,0 @@ |
|||
Fix CVE-2017-7544: |
|||
|
|||
https://sourceforge.net/p/libexif/bugs/130/ |
|||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544 |
|||
|
|||
Patch copied from upstream bug tracker: |
|||
|
|||
https://sourceforge.net/p/libexif/bugs/130/#489a |
|||
|
|||
Index: libexif/exif-data.c
|
|||
===================================================================
|
|||
RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v |
|||
retrieving revision 1.131 |
|||
diff -u -r1.131 exif-data.c
|
|||
--- a/libexif/exif-data.c 12 Jul 2012 17:28:26 -0000 1.131
|
|||
+++ b/libexif/exif-data.c 25 Jul 2017 21:34:06 -0000
|
|||
@@ -255,6 +255,12 @@
|
|||
exif_mnote_data_set_offset (data->priv->md, *ds - 6); |
|||
exif_mnote_data_save (data->priv->md, &e->data, &e->size); |
|||
e->components = e->size; |
|||
+ if (exif_format_get_size (e->format) != 1) {
|
|||
+ /* e->format is taken from input code,
|
|||
+ * but we need to make sure it is a 1 byte
|
|||
+ * entity due to the multiplication below. */
|
|||
+ e->format = EXIF_FORMAT_UNDEFINED;
|
|||
+ }
|
|||
} |
|||
} |
|||
|
|||
@ -1,120 +0,0 @@ |
|||
https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89.patch |
|||
|
|||
NEWS section was removed |
|||
'12' -> '30' on line 79 |
|||
|
|||
From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 |
|||
From: Dan Fandrich <dan@coneharvesters.com> |
|||
Date: Fri, 12 Oct 2018 16:01:45 +0200 |
|||
Subject: [PATCH] Improve deep recursion detection in |
|||
exif_data_load_data_content. |
|||
|
|||
The existing detection was still vulnerable to pathological cases |
|||
causing DoS by wasting CPU. The new algorithm takes the number of tags |
|||
into account to make it harder to abuse by cases using shallow recursion |
|||
but with a very large number of tags. This improves on commit 5d28011c |
|||
which wasn't sufficient to counter this kind of case. |
|||
|
|||
The limitation in the previous fix was discovered by Laurent Delosieres, |
|||
Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned |
|||
the identifier CVE-2018-20030. |
|||
---
|
|||
NEWS | 1 + |
|||
libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++-------- |
|||
2 files changed, 38 insertions(+), 8 deletions(-) |
|||
|
|||
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
|
|||
index e35403d..a6f9c94 100644
|
|||
--- a/libexif/exif-data.c
|
|||
+++ b/libexif/exif-data.c
|
|||
@@ -35,6 +35,7 @@
|
|||
#include <libexif/olympus/exif-mnote-data-olympus.h> |
|||
#include <libexif/pentax/exif-mnote-data-pentax.h> |
|||
|
|||
+#include <math.h>
|
|||
#include <stdlib.h> |
|||
#include <stdio.h> |
|||
#include <string.h> |
|||
@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \
|
|||
break; \ |
|||
} |
|||
|
|||
+/*! Calculate the recursion cost added by one level of IFD loading.
|
|||
+ *
|
|||
+ * The work performed is related to the cost in the exponential relation
|
|||
+ * work=1.1**cost
|
|||
+ */
|
|||
+static unsigned int
|
|||
+level_cost(unsigned int n)
|
|||
+{
|
|||
+ static const double log_1_1 = 0.09531017980432493;
|
|||
+
|
|||
+ /* Adding 0.1 protects against the case where n==1 */
|
|||
+ return ceil(log(n + 0.1)/log_1_1);
|
|||
+}
|
|||
+
|
|||
/*! Load data for an IFD. |
|||
* |
|||
* \param[in,out] data #ExifData |
|||
@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \
|
|||
* \param[in] d pointer to buffer containing raw IFD data |
|||
* \param[in] ds size of raw data in buffer at \c d |
|||
* \param[in] offset offset into buffer at \c d at which IFD starts |
|||
- * \param[in] recursion_depth number of times this function has been
|
|||
- * recursively called without returning
|
|||
+ * \param[in] recursion_cost factor indicating how expensive this recursive
|
|||
+ * call could be
|
|||
*/ |
|||
static void |
|||
exif_data_load_data_content (ExifData *data, ExifIfd ifd, |
|||
const unsigned char *d, |
|||
- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
|
|||
+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
|
|||
{ |
|||
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; |
|||
ExifShort n; |
|||
@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
|
|||
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) |
|||
return; |
|||
|
|||
- if (recursion_depth > 30) {
|
|||
+ if (recursion_cost > 170) {
|
|||
+ /*
|
|||
+ * recursion_cost is a logarithmic-scale indicator of how expensive this
|
|||
+ * recursive call might end up being. It is an indicator of the depth of
|
|||
+ * recursion as well as the potential for worst-case future recursive
|
|||
+ * calls. Since it's difficult to tell ahead of time how often recursion
|
|||
+ * will occur, this assumes the worst by assuming every tag could end up
|
|||
+ * causing recursion.
|
|||
+ * The value of 170 was chosen to limit typical EXIF structures to a
|
|||
+ * recursive depth of about 6, but pathological ones (those with very
|
|||
+ * many tags) to only 2.
|
|||
+ */
|
|||
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", |
|||
- "Deep recursion detected!");
|
|||
+ "Deep/expensive recursion detected!");
|
|||
return; |
|||
} |
|||
|
|||
@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
|
|||
switch (tag) { |
|||
case EXIF_TAG_EXIF_IFD_POINTER: |
|||
CHECK_REC (EXIF_IFD_EXIF); |
|||
- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
|
|||
+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
|
|||
+ recursion_cost + level_cost(n));
|
|||
break; |
|||
case EXIF_TAG_GPS_INFO_IFD_POINTER: |
|||
CHECK_REC (EXIF_IFD_GPS); |
|||
- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
|
|||
+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
|
|||
+ recursion_cost + level_cost(n));
|
|||
break; |
|||
case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: |
|||
CHECK_REC (EXIF_IFD_INTEROPERABILITY); |
|||
- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
|
|||
+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
|
|||
+ recursion_cost + level_cost(n));
|
|||
break; |
|||
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: |
|||
thumbnail_offset = o; |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue