gnu: exiv2: Add upstream security fixes.
Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864. * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch, gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/image.scm (exiv2)[source]: Use them.
This commit is contained in:
parent
ba2cd6c2d8
commit
4119376d66
|
@ -605,6 +605,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/eudev-rules-directory.patch \
|
%D%/packages/patches/eudev-rules-directory.patch \
|
||||||
%D%/packages/patches/evilwm-lost-focus-bug.patch \
|
%D%/packages/patches/evilwm-lost-focus-bug.patch \
|
||||||
%D%/packages/patches/exim-CVE-2017-1000369.patch \
|
%D%/packages/patches/exim-CVE-2017-1000369.patch \
|
||||||
|
%D%/packages/patches/exiv2-CVE-2017-14860.patch \
|
||||||
|
%D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
|
||||||
%D%/packages/patches/fastcap-mulGlobal.patch \
|
%D%/packages/patches/fastcap-mulGlobal.patch \
|
||||||
%D%/packages/patches/fastcap-mulSetup.patch \
|
%D%/packages/patches/fastcap-mulSetup.patch \
|
||||||
%D%/packages/patches/fasthenry-spAllocate.patch \
|
%D%/packages/patches/fasthenry-spAllocate.patch \
|
||||||
|
|
|
@ -866,6 +866,8 @@ channels.")
|
||||||
version ".tar.gz")
|
version ".tar.gz")
|
||||||
(string-append "https://fossies.org/linux/misc/exiv2-"
|
(string-append "https://fossies.org/linux/misc/exiv2-"
|
||||||
version ".tar.gz")))
|
version ".tar.gz")))
|
||||||
|
(patches (search-patches "exiv2-CVE-2017-14860.patch"
|
||||||
|
"exiv2-CVE-2017-14859-14862-14864.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
|
"1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
|
||||||
|
|
|
@ -0,0 +1,66 @@
|
||||||
|
Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864.
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
|
||||||
|
|
||||||
|
Copied from upstream:
|
||||||
|
|
||||||
|
https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607
|
||||||
|
|
||||||
|
From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
|
||||||
|
Date: Sat, 7 Oct 2017 23:08:36 +0200
|
||||||
|
Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859
|
||||||
|
|
||||||
|
The invalid memory dereference in
|
||||||
|
Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
|
||||||
|
is caused further up the call-stack, by
|
||||||
|
v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
|
||||||
|
passing an invalid pData pointer (pData points outside of the Tiff
|
||||||
|
file). pData can be set out of bounds in the (size > 4) branch where
|
||||||
|
baseOffset() and offset are added to pData_ without checking whether
|
||||||
|
the result is still in the file. As offset comes from an untrusted
|
||||||
|
source, an attacker can craft an arbitrarily large offset into the
|
||||||
|
file.
|
||||||
|
|
||||||
|
This commit adds a check into the problematic branch, whether the
|
||||||
|
result of the addition would be out of bounds of the Tiff
|
||||||
|
file. Furthermore the whole operation is checked for possible
|
||||||
|
overflows.
|
||||||
|
---
|
||||||
|
src/tiffvisitor.cpp | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
|
||||||
|
index 4ab733d4..ef13542e 100644
|
||||||
|
--- a/src/tiffvisitor.cpp
|
||||||
|
+++ b/src/tiffvisitor.cpp
|
||||||
|
@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
|
||||||
|
#include <iostream>
|
||||||
|
#include <iomanip>
|
||||||
|
#include <cassert>
|
||||||
|
+#include <limits>
|
||||||
|
|
||||||
|
// *****************************************************************************
|
||||||
|
namespace {
|
||||||
|
@@ -1517,7 +1518,19 @@ namespace Exiv2 {
|
||||||
|
size = 0;
|
||||||
|
}
|
||||||
|
if (size > 4) {
|
||||||
|
+ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
|
||||||
|
+ // as offset can be arbitrarily large
|
||||||
|
+ if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
|
||||||
|
+ || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
|
||||||
|
+ {
|
||||||
|
+ throw Error(59);
|
||||||
|
+ }
|
||||||
|
+ if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
|
||||||
|
+ throw Error(58);
|
||||||
|
+ }
|
||||||
|
pData = const_cast<byte*>(pData_) + baseOffset() + offset;
|
||||||
|
+
|
||||||
|
+ // check for size being invalid
|
||||||
|
if (size > static_cast<uint32_t>(pLast_ - pData)) {
|
||||||
|
#ifndef SUPPRESS_WARNINGS
|
||||||
|
EXV_ERROR << "Upper boundary of data for "
|
|
@ -0,0 +1,48 @@
|
||||||
|
Fix CVE-2017-14860.
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
|
||||||
|
https://nvd.nist.gov/vuln/detail/CVE-2017-14860
|
||||||
|
|
||||||
|
Copied from upstream:
|
||||||
|
|
||||||
|
https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
|
||||||
|
|
||||||
|
From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
|
||||||
|
Date: Fri, 6 Oct 2017 23:09:08 +0200
|
||||||
|
Subject: [PATCH] Fix for CVE-2017-14860
|
||||||
|
|
||||||
|
A heap buffer overflow could occur in memcpy when icc.size_ is larger
|
||||||
|
than data.size_ - pad, as then memcpy would read out of bounds of data.
|
||||||
|
|
||||||
|
This commit adds a sanity check to iccLength (= icc.size_): if it is
|
||||||
|
larger than data.size_ - pad (i.e. an overflow would be caused) an
|
||||||
|
exception is thrown.
|
||||||
|
|
||||||
|
This fixes #71.
|
||||||
|
---
|
||||||
|
src/jp2image.cpp | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
||||||
|
index 747145cf..748d39b5 100644
|
||||||
|
--- a/src/jp2image.cpp
|
||||||
|
+++ b/src/jp2image.cpp
|
||||||
|
@@ -269,10 +269,15 @@ namespace Exiv2
|
||||||
|
std::cout << "Exiv2::Jp2Image::readMetadata: "
|
||||||
|
<< "Color data found" << std::endl;
|
||||||
|
#endif
|
||||||
|
- long pad = 3 ; // 3 padding bytes 2 0 0
|
||||||
|
+ const long pad = 3 ; // 3 padding bytes 2 0 0
|
||||||
|
DataBuf data(subBox.length+8);
|
||||||
|
io_->read(data.pData_,data.size_);
|
||||||
|
- long iccLength = getULong(data.pData_+pad, bigEndian);
|
||||||
|
+ const long iccLength = getULong(data.pData_+pad, bigEndian);
|
||||||
|
+ // subtracting pad from data.size_ is safe:
|
||||||
|
+ // size_ is at least 8 and pad = 3
|
||||||
|
+ if (iccLength > data.size_ - pad) {
|
||||||
|
+ throw Error(58);
|
||||||
|
+ }
|
||||||
|
DataBuf icc(iccLength);
|
||||||
|
::memcpy(icc.pData_,data.pData_+pad,icc.size_);
|
||||||
|
#ifdef DEBUG
|
Loading…
Reference in New Issue