From 5a4e5c26cc3fb24e0e7f6a2d95f03396f3d0b014 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 10 Jul 2019 14:27:51 +0300 Subject: [PATCH] gnu: libexif: Fix CVE-2018-20030. * gnu/packages/photo.scm (libexif)[source]: Add patch. * gnu/packages/patches/libexif-CVE-2018-20030.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + .../patches/libexif-CVE-2018-20030.patch | 120 ++++++++++++++++++ gnu/packages/photo.scm | 5 +- 3 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/libexif-CVE-2018-20030.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2821cdcca9..66f904291b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1006,6 +1006,7 @@ dist_patch_DATA = \ %D%/packages/patches/libdrm-symbol-check.patch \ %D%/packages/patches/libexif-CVE-2016-6328.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ + %D%/packages/patches/libexif-CVE-2018-20030.patch \ %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \ %D%/packages/patches/libgit2-avoid-python.patch \ %D%/packages/patches/libgit2-mtime-0.patch \ diff --git a/gnu/packages/patches/libexif-CVE-2018-20030.patch b/gnu/packages/patches/libexif-CVE-2018-20030.patch new file mode 100644 index 0000000000..57e4746b58 --- /dev/null +++ b/gnu/packages/patches/libexif-CVE-2018-20030.patch @@ -0,0 +1,120 @@ +https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89.patch + +NEWS section was removed +'12' -> '30' on line 79 + +From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: [PATCH] Improve deep recursion detection in + exif_data_load_data_content. + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. +--- + NEWS | 1 + + libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++-------- + 2 files changed, 38 insertions(+), 8 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index e35403d..a6f9c94 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++ static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, + const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Deep recursion detected!"); ++ "Deep/expensive recursion detected!"); + return; + } + +@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + switch (tag) { + case EXIF_TAG_EXIF_IFD_POINTER: + CHECK_REC (EXIF_IFD_EXIF); +- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_GPS_INFO_IFD_POINTER: + CHECK_REC (EXIF_IFD_GPS); +- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: + CHECK_REC (EXIF_IFD_INTEROPERABILITY); +- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + thumbnail_offset = o; diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index cf7da80642..cbfc2debd8 100644 --- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2014, 2015, 2017, 2019 Ludovic Courtès ;;; Copyright © 2015 Ricardo Wurmus ;;; Copyright © 2015, 2017 Andreas Enge -;;; Copyright © 2016, 2017, 2018 Efraim Flashner +;;; Copyright © 2016, 2017, 2018, 2019 Efraim Flashner ;;; Copyright © 2017 Roel Janssen ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice ;;; Copyright © 2018 Leo Famulari @@ -117,7 +117,8 @@ cameras (CRW/CR2, NEF, RAF, DNG, and others).") (uri (string-append "mirror://sourceforge/libexif/libexif/" version "/libexif-" version ".tar.bz2")) (patches (search-patches "libexif-CVE-2016-6328.patch" - "libexif-CVE-2017-7544.patch")) + "libexif-CVE-2017-7544.patch" + "libexif-CVE-2018-20030.patch")) (sha256 (base32 "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"))))