diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-03-15 14:49:24 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-15 14:51:20 -0300 |
commit | f7de796e6aaa9b44eed3b77e1c0e66fff453d454 (patch) | |
tree | 29ae28975607b5b60570e8b478b2679c9da90f69 | |
parent | 6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (diff) | |
download | alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.bz2 alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.xz alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.zip |
main/exiv2: fix CVE-2019-20421
See #11191
-rw-r--r-- | main/exiv2/APKBUILD | 8 | ||||
-rw-r--r-- | main/exiv2/CVE-2019-20421.patch | 117 |
2 files changed, 123 insertions, 2 deletions
diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD index 40a1751094..15bd745aa2 100644 --- a/main/exiv2/APKBUILD +++ b/main/exiv2/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=exiv2 | 2 | pkgname=exiv2 |
3 | pkgver=0.27.2 | 3 | pkgver=0.27.2 |
4 | pkgrel=2 | 4 | pkgrel=3 |
5 | pkgdesc="Exif and Iptc metadata manipulation library and tools." | 5 | pkgdesc="Exif and Iptc metadata manipulation library and tools." |
6 | url="https://exiv2.org" | 6 | url="https://exiv2.org" |
7 | arch="all" | 7 | arch="all" |
@@ -12,10 +12,13 @@ makedepends="$depends_dev cmake" | |||
12 | subpackages="$pkgname-dev $pkgname-doc" | 12 | subpackages="$pkgname-dev $pkgname-doc" |
13 | source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz | 13 | source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz |
14 | CVE-2019-17402.patch | 14 | CVE-2019-17402.patch |
15 | CVE-2019-20421.patch | ||
15 | " | 16 | " |
16 | builddir="$srcdir"/$pkgname-$pkgver-Source | 17 | builddir="$srcdir"/$pkgname-$pkgver-Source |
17 | 18 | ||
18 | # secfixes: | 19 | # secfixes: |
20 | # 0.27.2-r3: | ||
21 | # - CVE-2019-20421 | ||
19 | # 0.27.2-r2: | 22 | # 0.27.2-r2: |
20 | # - CVE-2019-17402 | 23 | # - CVE-2019-17402 |
21 | # 0.27.2-r0: | 24 | # 0.27.2-r0: |
@@ -52,4 +55,5 @@ package() { | |||
52 | } | 55 | } |
53 | 56 | ||
54 | sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz | 57 | sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz |
55 | da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch" | 58 | da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch |
59 | b2b881e47e4cad8b04492f7475400af9f28fa8f9dfb1e96d4d0d8caa6a469e76aafc056023254446e1026be8270f1b094b5195fe44f18c87283f6c6d808c37ee CVE-2019-20421.patch" | ||
diff --git a/main/exiv2/CVE-2019-20421.patch b/main/exiv2/CVE-2019-20421.patch new file mode 100644 index 0000000000..76b88a1a75 --- /dev/null +++ b/main/exiv2/CVE-2019-20421.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001 | ||
2 | From: clanmills <robin@clanmills.com> | ||
3 | Date: Tue, 1 Oct 2019 17:39:44 +0100 | ||
4 | Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop | ||
5 | |||
6 | --- | ||
7 | src/jp2image.cpp | 25 +++++++++++++++---- | ||
8 | tests/bugfixes/github/test_CVE_2017_17725.py | 4 +-- | ||
9 | tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++ | ||
10 | 4 files changed, 35 insertions(+), 7 deletions(-) | ||
11 | create mode 100755 test/data/Jp2Image_readMetadata_loop.poc | ||
12 | create mode 100644 tests/bugfixes/github/test_issue_1011.py | ||
13 | |||
14 | diff --git a/src/jp2image.cpp b/src/jp2image.cpp | ||
15 | index d5cd1340a..0de088d62 100644 | ||
16 | --- a/src/jp2image.cpp | ||
17 | +++ b/src/jp2image.cpp | ||
18 | @@ -18,10 +18,6 @@ | ||
19 | * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA. | ||
20 | */ | ||
21 | |||
22 | -/* | ||
23 | - File: jp2image.cpp | ||
24 | -*/ | ||
25 | - | ||
26 | // ***************************************************************************** | ||
27 | |||
28 | // included header files | ||
29 | @@ -197,6 +193,16 @@ namespace Exiv2 | ||
30 | return result; | ||
31 | } | ||
32 | |||
33 | +static void boxes_check(size_t b,size_t m) | ||
34 | +{ | ||
35 | + if ( b > m ) { | ||
36 | +#ifdef EXIV2_DEBUG_MESSAGES | ||
37 | + std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl; | ||
38 | +#endif | ||
39 | + throw Error(kerCorruptedMetadata); | ||
40 | + } | ||
41 | +} | ||
42 | + | ||
43 | void Jp2Image::readMetadata() | ||
44 | { | ||
45 | #ifdef EXIV2_DEBUG_MESSAGES | ||
46 | @@ -219,9 +225,12 @@ namespace Exiv2 | ||
47 | Jp2BoxHeader subBox = {0,0}; | ||
48 | Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0}; | ||
49 | Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | ||
50 | + size_t boxes = 0 ; | ||
51 | + size_t boxem = 1000 ; // boxes max | ||
52 | |||
53 | while (io_->read((byte*)&box, sizeof(box)) == sizeof(box)) | ||
54 | { | ||
55 | + boxes_check(boxes++,boxem ); | ||
56 | position = io_->tell(); | ||
57 | box.length = getLong((byte*)&box.length, bigEndian); | ||
58 | box.type = getLong((byte*)&box.type, bigEndian); | ||
59 | @@ -251,8 +260,12 @@ namespace Exiv2 | ||
60 | |||
61 | while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length ) | ||
62 | { | ||
63 | + boxes_check(boxes++, boxem) ; | ||
64 | subBox.length = getLong((byte*)&subBox.length, bigEndian); | ||
65 | subBox.type = getLong((byte*)&subBox.type, bigEndian); | ||
66 | + if (subBox.length > io_->size() ) { | ||
67 | + throw Error(kerCorruptedMetadata); | ||
68 | + } | ||
69 | #ifdef EXIV2_DEBUG_MESSAGES | ||
70 | std::cout << "Exiv2::Jp2Image::readMetadata: " | ||
71 | << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl; | ||
72 | @@ -308,7 +321,9 @@ namespace Exiv2 | ||
73 | } | ||
74 | |||
75 | io_->seek(restore,BasicIo::beg); | ||
76 | - io_->seek(subBox.length, Exiv2::BasicIo::cur); | ||
77 | + if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) { | ||
78 | + throw Error(kerCorruptedMetadata); | ||
79 | + } | ||
80 | restore = io_->tell(); | ||
81 | } | ||
82 | break; | ||
83 | |||
84 | diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py | ||
85 | index 1127b9806..670a75d8d 100644 | ||
86 | --- a/tests/bugfixes/github/test_CVE_2017_17725.py | ||
87 | +++ b/tests/bugfixes/github/test_CVE_2017_17725.py | ||
88 | @@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): | ||
89 | filename = "$data_path/poc_2017-12-12_issue188" | ||
90 | commands = ["$exiv2 " + filename] | ||
91 | stdout = [""] | ||
92 | - stderr = ["""$exiv2_overflow_exception_message """ + filename + """: | ||
93 | -$addition_overflow_message | ||
94 | + stderr = ["""$exiv2_exception_message """ + filename + """: | ||
95 | +$kerCorruptedMetadata | ||
96 | """] | ||
97 | retval = [1] | ||
98 | diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py | ||
99 | new file mode 100644 | ||
100 | index 000000000..415861188 | ||
101 | --- /dev/null | ||
102 | +++ b/tests/bugfixes/github/test_issue_1011.py | ||
103 | @@ -0,0 +1,13 @@ | ||
104 | +# -*- coding: utf-8 -*- | ||
105 | + | ||
106 | +from system_tests import CaseMeta, path | ||
107 | + | ||
108 | +class Test_issue_1011(metaclass=CaseMeta): | ||
109 | + | ||
110 | + filename = path("$data_path/Jp2Image_readMetadata_loop.poc") | ||
111 | + commands = ["$exiv2 " + filename] | ||
112 | + stdout = [""] | ||
113 | + stderr = ["""$exiv2_exception_message """ + filename + """: | ||
114 | +$kerCorruptedMetadata | ||
115 | +"""] | ||
116 | + retval = [1] | ||
117 | \ No newline at end of file | ||