diff --git a/CVE-2016-6328.patch b/CVE-2016-6328.patch new file mode 100644 index 0000000..c1dcbf0 --- /dev/null +++ b/CVE-2016-6328.patch @@ -0,0 +1,60 @@ +From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Tue, 25 Jul 2017 23:44:44 +0200 +Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax + makernote entries. + +This should fix: +https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 +--- + libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c +index d03d159..ea0429a 100644 +--- a/libexif/pentax/mnote-pentax-entry.c ++++ b/libexif/pentax/mnote-pentax-entry.c +@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + case EXIF_FORMAT_SHORT: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; kcomponents; k++) { ++ if (sizeleft < 2) ++ break; + vs = exif_get_short (data, entry->order); + snprintf (val+len, maxlen-len, "%i ", vs); + len = strlen(val); + data += 2; ++ sizeleft -= 2; + } + } + break; + case EXIF_FORMAT_LONG: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; kcomponents; k++) { ++ if (sizeleft < 4) ++ break; + vl = exif_get_long (data, entry->order); + snprintf (val+len, maxlen-len, "%li", (long int) vl); + len = strlen(val); + data += 4; ++ sizeleft -= 4; + } + } + break; +@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + break; + } + +- return (val); ++ return val; + } diff --git a/CVE-2017-7544.patch b/CVE-2017-7544.patch new file mode 100644 index 0000000..ab7042d --- /dev/null +++ b/CVE-2017-7544.patch @@ -0,0 +1,20 @@ +Index: libexif/exif-data.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v +retrieving revision 1.131 +diff -u -r1.131 exif-data.c +--- libexif/exif-data.c 12 Jul 2012 17:28:26 -0000 1.131 ++++ libexif/exif-data.c 25 Jul 2017 21:34:06 -0000 +@@ -255,6 +255,12 @@ + exif_mnote_data_set_offset (data->priv->md, *ds - 6); + exif_mnote_data_save (data->priv->md, &e->data, &e->size); + e->components = e->size; ++ if (exif_format_get_size (e->format) != 1) { ++ /* e->format is taken from input code, ++ * but we need to make sure it is a 1 byte ++ * entity due to the multiplication below. */ ++ e->format = EXIF_FORMAT_UNDEFINED; ++ } + } + } + diff --git a/libexif.changes b/libexif.changes index 79a65f7..0a397d2 100644 --- a/libexif.changes +++ b/libexif.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Jan 24 11:36:21 UTC 2018 - jengelh@inai.de + +- Remove %__-type macro indirections. Fix SRPM group. +- Use %_smp_mflags for parallel build. +- Drop pointless --with-pic (no effect since --disable-static). + +------------------------------------------------------------------- +Wed Jan 17 09:32:25 UTC 2018 - kbabioch@suse.com + +- Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE + entry data of the input file (bnc#1055857) +- Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read + vulnerability (bnc#1059893) + ------------------------------------------------------------------- Mon Aug 7 15:10:07 UTC 2017 - meissner@suse.com diff --git a/libexif.spec b/libexif.spec index 17dfc8a..55ed599 100644 --- a/libexif.spec +++ b/libexif.spec @@ -1,7 +1,7 @@ # # spec file for package libexif # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,25 +17,26 @@ Name: libexif -BuildRequires: doxygen -BuildRequires: pkg-config +Version: 0.6.21 +Release: 0 Url: http://libexif.sourceforge.net Summary: An EXIF Tag Parsing Library for Digital Cameras License: LGPL-2.1+ -Group: System/Libraries -Version: 0.6.21 -Release: 0 +Group: Development/Libraries/C and C++ BuildRoot: %{_tmppath}/%{name}-%{version}-build Source0: https://downloads.sourceforge.net/project/libexif/%{name}/%{version}/%{name}-%{version}.tar.bz2 Source1: baselibs.conf Patch0: libexif-build-date.patch +Patch1: CVE-2016-6328.patch +Patch2: CVE-2017-7544.patch +BuildRequires: doxygen +BuildRequires: pkg-config %define pname libexif12 %define debug_package_requires %{pname} = %{version}-%{release} %package -n %{pname} - Summary: An EXIF Tag Parsing Library for Digital Cameras Group: System/Libraries Provides: libexif = %{version} @@ -62,12 +63,15 @@ digital cameras. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p0 + %build export CFLAGS="%optflags $(getconf LFS_CFLAGS)" -%configure --with-pic \ +%configure \ --disable-static \ --with-doc-dir=%{_docdir}/%{name} -%{__make} %{?jobs:-j%jobs} +make %{?_smp_mflags} %check make check @@ -75,7 +79,7 @@ make check %install %makeinstall %find_lang %{name}-12 -%{__rm} -f %{buildroot}%{_libdir}/*.la +rm -f %{buildroot}/%{_libdir}/*.la %post -n %{pname} -p /sbin/ldconfig