pool/libexif
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 566573 from home:kbabioch:branches:graphics

Browse Source 
- Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE
  entry data of the input file (bnc#1055857)
- Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read
  vulnerability (bnc#1059893)

OBS-URL: https://build.opensuse.org/request/show/566573
OBS-URL: https://build.opensuse.org/package/show/graphics/libexif?expand=0&rev=31
This commit is contained in:
Marcus Meissner 2018-01-17 09:59:13 +00:00 committed by Git OBS Bridge
parent 0da365ff63
commit 2923373f20
4 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2016-6328.patch Normal file
View File

@ -0,0 +1,60 @@
From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:44:44 +0200
Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
makernote entries.
This should fix:
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
---
libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index d03d159..ea0429a 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
case EXIF_FORMAT_SHORT:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 2)
+ break;
vs = exif_get_short (data, entry->order);
snprintf (val+len, maxlen-len, "%i ", vs);
len = strlen(val);
data += 2;
+ sizeleft -= 2;
}
}
break;
case EXIF_FORMAT_LONG:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 4)
+ break;
vl = exif_get_long (data, entry->order);
snprintf (val+len, maxlen-len, "%li", (long int) vl);
len = strlen(val);
data += 4;
+ sizeleft -= 4;
}
}
break;
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
break;
}
- return (val);
+ return val;
}

20
CVE-2017-7544.patch Normal file
View File

@ -0,0 +1,20 @@
Index: libexif/exif-data.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
retrieving revision 1.131
diff -u -r1.131 exif-data.c
--- libexif/exif-data.c 12 Jul 2012 17:28:26 -0000 1.131
+++ libexif/exif-data.c 25 Jul 2017 21:34:06 -0000
@@ -255,6 +255,12 @@
exif_mnote_data_set_offset (data->priv->md, *ds - 6);
exif_mnote_data_save (data->priv->md, &e->data, &e->size);
e->components = e->size;
+ if (exif_format_get_size (e->format) != 1) {
+ /* e->format is taken from input code,
+ * but we need to make sure it is a 1 byte
+ * entity due to the multiplication below. */
+ e->format = EXIF_FORMAT_UNDEFINED;
+ }
}
}

8
libexif.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Jan 17 09:32:25 UTC 2018 - kbabioch@suse.com
- Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE
entry data of the input file (bnc#1055857)
- Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read
vulnerability (bnc#1059893)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 7 15:10:07 UTC 2017 - meissner@suse.com Mon Aug 7 15:10:07 UTC 2017 - meissner@suse.com

6
libexif.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package libexif # spec file for package libexif
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source0: https://downloads.sourceforge.net/project/libexif/%{name}/%{version}/%{name}-%{version}.tar.bz2 Source0: https://downloads.sourceforge.net/project/libexif/%{name}/%{version}/%{name}-%{version}.tar.bz2
Source1: baselibs.conf Source1: baselibs.conf
Patch0: libexif-build-date.patch Patch0: libexif-build-date.patch
Patch1: CVE-2016-6328.patch
Patch2: CVE-2017-7544.patch
%define pname libexif12 %define pname libexif12
@ -62,6 +64,8 @@ digital cameras.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p0
%build %build
export CFLAGS="%optflags $(getconf LFS_CFLAGS)" export CFLAGS="%optflags $(getconf LFS_CFLAGS)"
%configure --with-pic \ %configure --with-pic \