diff --git a/.exiv2.metadata b/.exiv2.metadata index 8b058fc..9bd5035 100644 --- a/.exiv2.metadata +++ b/.exiv2.metadata @@ -1,3 +1 @@ -ed620c568463179aca7847bee5fda40c11c08318 SOURCES/exiv2-0.27.4-Source.tar.gz -8bfcbc41598e9377d5938fbc75d63db3e6bd9bc9 SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2 -af7e1607f84dc143f09efaced2d6e05064238d4f SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 +775f9c5ddeb92b682da8b7737f9811009595dc6a SOURCES/exiv2-0.27.5-Source.tar.gz diff --git a/.gitignore b/.gitignore index c7dbcb6..507135e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1 @@ -SOURCES/exiv2-0.27.4-Source.tar.gz -SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2 -SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 +SOURCES/exiv2-0.27.5-Source.tar.gz diff --git a/SOURCES/exiv2-CVE-2021-37618.patch b/SOURCES/exiv2-CVE-2021-37618.patch deleted file mode 100644 index ac3f866..0000000 --- a/SOURCES/exiv2-CVE-2021-37618.patch +++ /dev/null @@ -1,67 +0,0 @@ -From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Mon, 5 Jul 2021 10:39:08 +0100 -Subject: [PATCH 1/2] Regression test for - https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 - ---- - test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 | Bin 0 -> 32768 bytes - .../github/test_issue_ghsa_583f_w9pm_99r2.py | 18 ++++++++++++++++++ - 2 files changed, 18 insertions(+) - create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 - create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py - -diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py -new file mode 100644 -index 000000000..808916aee ---- /dev/null -+++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py -@@ -0,0 +1,18 @@ -+# -*- coding: utf-8 -*- -+ -+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors -+ -+class Jp2ImagePrintStructureICC(metaclass=CaseMeta): -+ """ -+ Regression test for the bug described in: -+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 -+ """ -+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2" -+ -+ filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2") -+ commands = ["$exiv2 -p C $filename"] -+ stdout = [""] -+ stderr = ["""Exiv2 exception in print action for file $filename: -+$kerCorruptedMetadata -+"""] -+ retval = [1] - -From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Mon, 5 Jul 2021 10:40:03 +0100 -Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure - ---- - src/jp2image.cpp | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 3bf356629..2d6dc2118 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) - - if (subBox.type == kJp2BoxTypeColorHeader) { - long pad = 3; // don't know why there are 3 padding bytes -+ enforce(data.size_ >= pad, kerCorruptedMetadata); - if (bPrint) { - out << " | pad:"; - for (int i = 0; i < 3; i++) -@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) - if (bPrint) { - out << " | iccLength:" << iccLength; - } -+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); - if (bICC) { - out.write((const char*)data.pData_ + pad, iccLength); - } diff --git a/SOURCES/exiv2-CVE-2021-37619.patch b/SOURCES/exiv2-CVE-2021-37619.patch deleted file mode 100644 index 0dca35b..0000000 --- a/SOURCES/exiv2-CVE-2021-37619.patch +++ /dev/null @@ -1,100 +0,0 @@ -From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Wed, 30 Jun 2021 16:47:12 +0100 -Subject: [PATCH 1/2] Regression test for - https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v - ---- - test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes - .../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++ - 2 files changed, 18 insertions(+) - create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 - create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py - -diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py -new file mode 100644 -index 0000000000..8f8b6676cf ---- /dev/null -+++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py -@@ -0,0 +1,18 @@ -+# -*- coding: utf-8 -*- -+ -+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors -+@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") -+ -+class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta): -+ """ -+ Regression test for the bug described in: -+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v -+ """ -+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v" -+ -+ filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") -+ commands = ["$exiv2 rm $filename"] -+ stdout = [""] -+ retval = [0] -+ -+ compare_stderr = check_no_ASAN_UBSAN_errors - -From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Wed, 30 Jun 2021 16:47:50 +0100 -Subject: [PATCH 2/2] Fix incorrect loop condition. - ---- - src/jp2image.cpp | 6 ++++-- - .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index b6a388542f..3bf3566294 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) - char* p = (char*) boxBuf.pData_; - bool bWroteColor = false ; - -- while ( count < length || !bWroteColor ) { -+ while ( count < length && !bWroteColor ) { - enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); - Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; - - // copy data. pointer could be into a memory mapped file which we will decode! -- Jp2BoxHeader subBox = *pSubBox ; -+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. -+ Jp2BoxHeader subBox; -+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); - Jp2BoxHeader newBox = subBox; - - if ( count < length ) { -diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -index c98b3815eb..44f6a906cb 100644 ---- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -+++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py -@@ -1,7 +1,7 @@ - # -*- coding: utf-8 -*- - --from system_tests import CaseMeta, path -- -+from system_tests import CaseMeta, CopyTmpFiles, path -+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") - - class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): - """ -@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): - """ - url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj" - -- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") -- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") -+ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") -+ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") - commands = ["$exiv2 in $filename1"] - stdout = [""] - stderr = [ - """Error: XMP Toolkit error 201: XML parsing failure - Warning: Failed to decode XMP metadata. --$filename1: Could not write metadata to file: $kerCorruptedMetadata - """] -- retval = [1] -+ retval = [0] diff --git a/SOURCES/exiv2-no-rpath.patch b/SOURCES/exiv2-no-rpath.patch new file mode 100644 index 0000000..09ff0ef --- /dev/null +++ b/SOURCES/exiv2-no-rpath.patch @@ -0,0 +1,13 @@ +diff --git a/cmake/mainSetup.cmake b/cmake/mainSetup.cmake +index fcaa21f..f69fc46 100644 +--- a/cmake/mainSetup.cmake ++++ b/cmake/mainSetup.cmake +@@ -23,8 +23,6 @@ if (UNIX) + if (APPLE) + set(CMAKE_MACOSX_RPATH ON) + set(CMAKE_INSTALL_RPATH "@loader_path") +- else() +- join_paths(CMAKE_INSTALL_RPATH "$ORIGIN" ".." "${CMAKE_INSTALL_LIBDIR}") + endif() + endif() + diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec index f88602e..2196ee3 100644 --- a/SPECS/exiv2.spec +++ b/SPECS/exiv2.spec @@ -3,9 +3,9 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 -Version: 0.27.4 +Version: 0.27.5 %global internal_ver %{version} -Release: 7%{?dist} +Release: 2%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ @@ -15,17 +15,12 @@ Source0: https://github.com/Exiv2/%{name}/archive/v%{version}-%{beta}.tar.gz Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz %endif -# POC files for upstream issues -Source1: issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 -Source2: issue_ghsa_583f_w9pm_99r2_poc.jp2 - ## upstream patches -Patch1: exiv2-CVE-2021-37618.patch -Patch2: exiv2-CVE-2021-37619.patch ## security fixes ## upstreamable patches +Patch0: exiv2-no-rpath.patch BuildRequires: cmake BuildRequires: expat-devel @@ -78,9 +73,6 @@ BuildArch: noarch %prep %autosetup -n %{name}-%{version}-%{?beta}%{!?beta:Source} -p1 -cp %{SOURCE1} test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 -cp %{SOURCE2} test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 - %build %cmake \ -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \ @@ -133,6 +125,17 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Mon Nov 15 2021 Jan Grulich - 0.27.5-2 +- Remove RPATH + Resolves: bz#2018421 + +* Fri Nov 12 2021 Jan Grulich - 0.27.5-1 +- Exiv2 0.27.5 + Resolves: bz#2018421 + + Fix stack exhaustion issue in the printIFDStructure function leading to DoS + Resolves: bz#2003670 + * Tue Aug 24 2021 Jan Grulich - 0.27.4-7 - Properly install POC files Resolves: bz#1993247