Accepting request 566573 from home:kbabioch:branches:graphics

- Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE entry data of the input file (bnc#1055857) - Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read vulnerability (bnc#1059893) OBS-URL: https://build.opensuse.org/request/show/566573 OBS-URL: https://build.opensuse.org/package/show/graphics/libexif?expand=0&rev=31
2018-01-17 09:59:13 +00:00 · 2018-01-17 09:59:13 +00:00 · 2923373f20
commit 2923373f20
parent 0da365ff63
4 changed files with 93 additions and 1 deletions
--- a/CVE-2016-6328.patch
+++ b/CVE-2016-6328.patch
@ -0,0 +1,60 @@
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 2)
+					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
+				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 4)
+					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
+				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
+	return val;
+ }
--- a/CVE-2017-7544.patch
+++ b/CVE-2017-7544.patch
@ -0,0 +1,20 @@
+Index: libexif/exif-data.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
+retrieving revision 1.131
+diff -u -r1.131 exif-data.c
+--- libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
+++ libexif/exif-data.c	25 Jul 2017 21:34:06 -0000
+@@ -255,6 +255,12 @@
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
+			if (exif_format_get_size (e->format) != 1) {
+				/* e->format is taken from input code,
+				 * but we need to make sure it is a 1 byte
+				 * entity due to the multiplication below. */
+				e->format = EXIF_FORMAT_UNDEFINED;
+			}
+ 		}
+ 	}
+ 
--- a/libexif.changes
+++ b/libexif.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jan 17 09:32:25 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE
+  entry data of the input file (bnc#1055857)
+- Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read
+  vulnerability (bnc#1059893)
+
 -------------------------------------------------------------------
 Mon Aug  7 15:10:07 UTC 2017 - meissner@suse.com

--- a/libexif.spec
+++ b/libexif.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libexif
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,8 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Source0:        https://downloads.sourceforge.net/project/libexif/%{name}/%{version}/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
 Patch0:         libexif-build-date.patch
+Patch1:         CVE-2016-6328.patch
+Patch2:         CVE-2017-7544.patch

 %define pname libexif12

@ -62,6 +64,8 @@ digital cameras.
 %prep 
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p0
 %build
 export CFLAGS="%optflags $(getconf LFS_CFLAGS)"
 %configure --with-pic \