Accepting request 807015 from graphics

- libexif-0.6.22 (2020-05-18) release:
  * New translations: ms
  * Updated translations for most languages
  * Fixed C89 compatibility
  * Fixed warnings on recent versions of autoconf
  * Some useful EXIF 2.3 tag added:
    * EXIF_TAG_GAMMA
    * EXIF_TAG_COMPOSITE_IMAGE
    * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
    * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
    * EXIF_TAG_GPS_H_POSITIONING_ERROR
    * EXIF_TAG_CAMERA_OWNER_NAME
    * EXIF_TAG_BODY_SERIAL_NUMBER
    * EXIF_TAG_LENS_SPECIFICATION
    * EXIF_TAG_LENS_MAKE
    * EXIF_TAG_LENS_MODEL
    * EXIF_TAG_LENS_SERIAL_NUMBER
  * Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
    * CVE-2018-20030: Fix for recursion DoS (bsc#1120943)
    * CVE-2020-13114: Time consumption DoS when parsing canon array markers
    * CVE-2020-13113: Potential use of uninitialized memory 
    * CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
    * CVE-2020-0093: read overflow (bsc#1171847)
    * CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs (bsc#1160770)
    * CVE-2020-12767: fixed division by zero (bsc#1171475)
    * CVE-2016-6328: fixed integer overflow when parsing maker notes (bsc#1171475)
    * CVE-2017-7544: fixed buffer overread (bsc#1059893)
- removed patch: libexif-build-date.patch (done similar upstream)
- CVE-2016-6328.patch: in upstream release
- CVE-2017-7544.patch: in upstream release

OBS-URL: https://build.opensuse.org/request/show/807015
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libexif?expand=0&rev=42

CVE-2016-6328.patch

@@ -1,60 +0,0 @@
-From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Tue, 25 Jul 2017 23:44:44 +0200
-Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
- makernote entries.
-
-This should fix:
-https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
----
- libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
-index d03d159..ea0429a 100644
---- a/libexif/pentax/mnote-pentax-entry.c
-+++ b/libexif/pentax/mnote-pentax-entry.c
-@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
- 		case EXIF_FORMAT_SHORT:
- 		  {
- 			const unsigned char *data = entry->data;
--		  	size_t k, len = strlen(val);
-+		  	size_t k, len = strlen(val), sizeleft;
-+
-+			sizeleft = entry->size;
- 		  	for(k=0; k<entry->components; k++) {
-+				if (sizeleft < 2)
-+					break;
- 				vs = exif_get_short (data, entry->order);
- 				snprintf (val+len, maxlen-len, "%i ", vs);
- 				len = strlen(val);
- 				data += 2;
-+				sizeleft -= 2;
- 			}
- 		  }
- 		  break;
- 		case EXIF_FORMAT_LONG:
- 		  {
- 			const unsigned char *data = entry->data;
--		  	size_t k, len = strlen(val);
-+		  	size_t k, len = strlen(val), sizeleft;
-+
-+			sizeleft = entry->size;
- 		  	for(k=0; k<entry->components; k++) {
-+				if (sizeleft < 4)
-+					break;
- 				vl = exif_get_long (data, entry->order);
- 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
- 				len = strlen(val);
- 				data += 4;
-+				sizeleft -= 4;
- 			}
- 		  }
- 		  break;
-@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
- 		break;
- 	}
- 
--	return (val);
-+	return val;
- }

CVE-2017-7544.patch

@@ -1,20 +0,0 @@
-Index: libexif/exif-data.c
-===================================================================
-RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
-retrieving revision 1.131
-diff -u -r1.131 exif-data.c
---- libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
-+++ libexif/exif-data.c	25 Jul 2017 21:34:06 -0000
-@@ -255,6 +255,12 @@
- 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
- 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
- 			e->components = e->size;
-+			if (exif_format_get_size (e->format) != 1) {
-+				/* e->format is taken from input code,
-+				 * but we need to make sure it is a 1 byte
-+				 * entity due to the multiplication below. */
-+				e->format = EXIF_FORMAT_UNDEFINED;
-+			}
- 		}
- 	}
- 

libexif-0.6.21.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a
-size 1368435

libexif-0.6.22.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8672d93172a0cd022aba49ede265d2d3f1aa0977c62dec5bda5e108cad237233
+size 1900414

libexif-0.6.22.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEfEr9Ydiq51cHlqUXIgnWkC+WnJUFAl7CsXsACgkQIgnWkC+W
+nJWv7Q//UNlR0Cf5I+skfhwcCnEu3V5gikptwSHBunMzLyC6YH39uoAScT2Ist4A
+KRRe1INM8Z2W13o7wW0rTdCRlVV/zWmLNjSYgU6Wr0nohG7l38VM6uyvZQjb+4yR
+8IkXYy3uurWQDm2MpTJrWpNQoEoX3sSXzUVOD4VMBqz4C/c4BmRpe7e0YkdkeobR
+XFgiita0umBX/DXeWwjRF2nbkgJOKGCzGeAcQzC9SIfemT2WvuBLqfVHSUTBYIHI
+MsZibvSh7CQdTnpeL80r5nfL2GjJeyhLYwFLa4yUGYrQ0/IpGBwNqmy6qqc5jQMk
+7mVdAg/gnUF4EY+0w8i+91e6pu2FF7WExoANjosU59V+YNqqKf0mgdk1BjLdSmBv
+4n6PFp7STQdU8zzgVhxDc2eEHfbBpvmRfL8iByx4ilTzl/awPOjeIREWBD2lailc
+1ICJoXIO6gT9euQvBnnCINOdZ+jN/cPSMPRfO6mGg1HfjW2zcyaAPqYBV94sCCf2
+IheRM1qiVF5UYAwKIt6VE/YxjnJuUvN2p4m++R9LGOBd96Lvp4TB+HltcwpPV0EO
+cEcvEJmTtWKZMTycXIzvrR+qHvwfiduXbLulCQw55r8UHd7k5X8uFlt0TAebY/9q
+qALFCoAbICw0AUZGXqUAl/G6PqtjzM68C/3RmM6aPKFPHn6PBZI=
+=0Wku
+-----END PGP SIGNATURE-----

libexif-build-date.patch

@@ -1,14 +0,0 @@
---- libexif-0.6.21.orig/doc/Doxyfile-internals.in
-+++ libexif-0.6.21/doc/Doxyfile-internals.in
-@@ -1214,3 +1214,4 @@ DOT_CLEANUP            = YES
- # used. If set to NO the values of all tags below this one will be ignored.
- 
- SEARCHENGINE           = NO
-+HTML_TIMESTAMP         = NO
---- libexif-0.6.21.orig/doc/Doxyfile.in
-+++ libexif-0.6.21/doc/Doxyfile.in
-@@ -1214,3 +1214,4 @@ DOT_CLEANUP            = YES
- # used. If set to NO the values of all tags below this one will be ignored.
- 
- SEARCHENGINE           = NO
-+HTML_TIMESTAMP         = NO

libexif.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Mon May 18 16:08:17 UTC 2020 - Marcus Meissner <meissner@suse.com>
+
+- libexif-0.6.22 (2020-05-18) release:
+  * New translations: ms
+  * Updated translations for most languages
+  * Fixed C89 compatibility
+  * Fixed warnings on recent versions of autoconf
+  * Some useful EXIF 2.3 tag added:
+    * EXIF_TAG_GAMMA
+    * EXIF_TAG_COMPOSITE_IMAGE
+    * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
+    * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
+    * EXIF_TAG_GPS_H_POSITIONING_ERROR
+    * EXIF_TAG_CAMERA_OWNER_NAME
+    * EXIF_TAG_BODY_SERIAL_NUMBER
+    * EXIF_TAG_LENS_SPECIFICATION
+    * EXIF_TAG_LENS_MAKE
+    * EXIF_TAG_LENS_MODEL
+    * EXIF_TAG_LENS_SERIAL_NUMBER
+  * Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
+    * CVE-2018-20030: Fix for recursion DoS (bsc#1120943)
+    * CVE-2020-13114: Time consumption DoS when parsing canon array markers
+    * CVE-2020-13113: Potential use of uninitialized memory 
+    * CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
+    * CVE-2020-0093: read overflow (bsc#1171847)
+    * CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs (bsc#1160770)
+    * CVE-2020-12767: fixed division by zero (bsc#1171475)
+    * CVE-2016-6328: fixed integer overflow when parsing maker notes (bsc#1171475)
+    * CVE-2017-7544: fixed buffer overread (bsc#1059893)
+- removed patch: libexif-build-date.patch (done similar upstream)
+- CVE-2016-6328.patch: in upstream release
+- CVE-2017-7544.patch: in upstream release
+
 -------------------------------------------------------------------
 Wed Jan 24 11:36:21 UTC 2018 - jengelh@inai.de
 

libexif.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libexif
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,23 +12,22 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 Name:           libexif
-Version:        0.6.21
+Version:        0.6.22
 Release:        0
-Url:            http://libexif.sourceforge.net
+URL:            http://libexif.sourceforge.net
 Summary:        An EXIF Tag Parsing Library for Digital Cameras
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Source0:        https://downloads.sourceforge.net/project/libexif/%{name}/%{version}/%{name}-%{version}.tar.bz2
+Source0:        %{name}-%{version}.tar.bz2
+Source2:        %{name}-%{version}.tar.bz2.asc
+Source3:        %name.keyring
 Source1:        baselibs.conf
-Patch0:         libexif-build-date.patch
-Patch1:         CVE-2016-6328.patch
-Patch2:         CVE-2017-7544.patch
 BuildRequires:  doxygen
 BuildRequires:  pkg-config
 
@@ -62,9 +61,6 @@ digital cameras.
 
 %prep 
 %setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p0
 
 %build
 export CFLAGS="%optflags $(getconf LFS_CFLAGS)"