From aa9105686bf03258e3f131be3fd549a5b1ef03d8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 09:07:34 +0000 Subject: import compat-exiv2-026-0.26-6.el8 --- diff --git a/SOURCES/exiv2-CVE-2021-31291.patch b/SOURCES/exiv2-CVE-2021-31291.patch new file mode 100644 index 0000000..749d573 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-31291.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 1892fd4..01a21f2 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -737,9 +737,10 @@ namespace Exiv2 + #endif + box.length = io_->size() - io_->tell() + 8; + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/SOURCES/exiv2-CVE-2021-31292.patch b/SOURCES/exiv2-CVE-2021-31292.patch new file mode 100644 index 0000000..09f2199 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-31292.patch @@ -0,0 +1,26 @@ +From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Fri, 9 Apr 2021 13:37:48 +0100 +Subject: [PATCH] Fix integer overflow. + +--- + src/crwimage.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/crwimage.cpp b/src/crwimage.cpp +index ca79aa7..cd6200c 100644 +--- a/src/crwimage.cpp ++++ b/src/crwimage.cpp +@@ -1326,7 +1326,11 @@ namespace Exiv2 { + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { + uint32_t size = 28; +- if (cc && cc->size() > size) size = cc->size(); ++ if (cc) { ++ if (cc->size() < size) ++ throw Error(kerCorruptedMetadata); ++ size = cc->size(); ++ } + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); + if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); diff --git a/SOURCES/exiv2-CVE-2021-37618.patch b/SOURCES/exiv2-CVE-2021-37618.patch new file mode 100644 index 0000000..929cae4 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37618.patch @@ -0,0 +1,37 @@ +From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:40:03 +0100 +Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure + +--- + src/jp2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 43c93d7..a8c37e8 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -42,6 +42,7 @@ EXIV2_RCSID("@(#) $Id$") + #include "futils.hpp" + #include "types.hpp" + #include "safe_op.hpp" ++#include "enforce.hpp" + + // + standard includes + #include +@@ -511,6 +512,7 @@ namespace Exiv2 + if(subBox.type == kJp2BoxTypeColorHeader) + { + long pad = 3 ; // don't know why there are 3 padding bytes ++ enforce(data.size_ >= pad, kerCorruptedMetadata); + if ( bPrint ) { + out << " | pad:" ; + for ( int i = 0 ; i < 3 ; i++ ) out<< " " << (int) data.pData_[i]; +@@ -521,6 +523,7 @@ namespace Exiv2 + } + + DataBuf icc(iccLength); ++ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); + if ( bICC ) out.write((const char*)icc.pData_,icc.size_); + } + lf(out,bLF); diff --git a/SOURCES/exiv2-CVE-2021-37619.patch b/SOURCES/exiv2-CVE-2021-37619.patch new file mode 100644 index 0000000..e00520c --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37619.patch @@ -0,0 +1,30 @@ +From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 16:47:50 +0100 +Subject: [PATCH 2/2] Fix incorrect loop condition. + +--- + src/jp2image.cpp | 6 ++++-- + .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 2cd0a89..58ad5c6 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -619,11 +619,13 @@ namespace Exiv2 + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { diff --git a/SPECS/compat-exiv2-026.spec b/SPECS/compat-exiv2-026.spec index 6dbf115..c45a864 100644 --- a/SPECS/compat-exiv2-026.spec +++ b/SPECS/compat-exiv2-026.spec @@ -1,6 +1,6 @@ Name: compat-exiv2-026 Version: 0.26 -Release: 3%{?dist} +Release: 6%{?dist} Summary: Compatibility package with the exiv2 library in version 0.26 License: GPLv2+ @@ -32,6 +32,10 @@ Patch24: exiv2-CVE-2018-5772.patch Patch25: exiv2-CVE-2018-8976.patch Patch26: exiv2-CVE-2018-8977.patch Patch27: exiv2-CVE-2018-16336.patch +Patch28: exiv2-CVE-2021-31291.patch +Patch29: exiv2-CVE-2021-31292.patch +Patch30: exiv2-CVE-2021-37618.patch +Patch31: exiv2-CVE-2021-37619.patch ## upstreamable patches @@ -96,6 +100,20 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so %changelog +* Wed Aug 18 2021 Jan Grulich - 0.26-6 +- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure + Resolves: bz#1993283 + +- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header + Resolves: bz#1993246 + +* Thu Aug 05 2021 Jan Grulich - 0.26-4 +- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS + Resolves: bz#1990398 + +- Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS + Resolves: bz#1990399 + * Thu Nov 21 2019 Jan Grulich - 0.26-3 - Remove pre-built msvc binaries Resolves: bz#1757349