main/exiv2: fix CVE-2019-20421

See #11191
author: Leo <thinkabit.ukim@gmail.com> 2020-03-15 14:49:24 -0300
committer: Leo <thinkabit.ukim@gmail.com> 2020-03-15 14:51:20 -0300
commit: f7de796e6aaa9b44eed3b77e1c0e66fff453d454 (patch)
tree: 29ae28975607b5b60570e8b478b2679c9da90f69
parent: 6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (diff)
download: alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.bz2
alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.xz
alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.zip
2 files changed, 123 insertions, 2 deletions
diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD
index 40a1751094..15bd745aa2 100644
--- a/main/exiv2/APKBUILD
+++ b/main/exiv2/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=exiv2
 pkgver=0.27.2
-pkgrel=2
+pkgrel=3
 pkgdesc="Exif and Iptc metadata manipulation library and tools."
 url="https://exiv2.org"
 arch="all"
@@ -12,10 +12,13 @@ makedepends="$depends_dev cmake"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
        CVE-2019-17402.patch
+        CVE-2019-20421.patch
        "
 builddir="$srcdir"/$pkgname-$pkgver-Source
 # secfixes:
+#   0.27.2-r3:
+#     - CVE-2019-20421
 #   0.27.2-r2:
 #     - CVE-2019-17402
 #   0.27.2-r0:
@@ -52,4 +55,5 @@ package() {
 }
 sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz
-da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766  CVE-2019-17402.patch"
+da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766  CVE-2019-17402.patch
+b2b881e47e4cad8b04492f7475400af9f28fa8f9dfb1e96d4d0d8caa6a469e76aafc056023254446e1026be8270f1b094b5195fe44f18c87283f6c6d808c37ee  CVE-2019-20421.patch"
diff --git a/main/exiv2/CVE-2019-20421.patch b/main/exiv2/CVE-2019-20421.patch
new file mode 100644
index 0000000000..76b88a1a75
--- /dev/null
+++ b/main/exiv2/CVE-2019-20421.patch
@@ -0,0 +1,117 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+---
+ src/jp2image.cpp                             |  25 +++++++++++++++----
+ tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
+ tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+  */
+ 
+-/*
+-  File:      jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+ 
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+         return result;
+     }
+ 
+static void boxes_check(size_t b,size_t m)
+{
+    if ( b > m ) {
+#ifdef EXIV2_DEBUG_MESSAGES
+        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+        throw Error(kerCorruptedMetadata);
+    }
+}
+
+     void Jp2Image::readMetadata()
+     {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+         Jp2BoxHeader      subBox    = {0,0};
+         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
+         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+        size_t            boxes     = 0 ;
+        size_t            boxem     = 1000 ; // boxes max
+ 
+         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+         {
+            boxes_check(boxes++,boxem );
+             position   = io_->tell();
+             box.length = getLong((byte*)&box.length, bigEndian);
+             box.type   = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+ 
+                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+                     {
+                        boxes_check(boxes++, boxem) ;
+                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
+                        if (subBox.length > io_->size() ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
+ #ifdef EXIV2_DEBUG_MESSAGES
+                         std::cout << "Exiv2::Jp2Image::readMetadata: "
+                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+                         }
+ 
+                         io_->seek(restore,BasicIo::beg);
+-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
+                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
+                         restore = io_->tell();
+                     }
+                     break;
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
+++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+     filename = "$data_path/poc_2017-12-12_issue188"
+     commands = ["$exiv2 " + filename]
+     stdout = [""]
+-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
+    stderr = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
+ """]
+     retval = [1]
+diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
+new file mode 100644
+index 000000000..415861188
+--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1011.py
+@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class Test_issue_1011(metaclass=CaseMeta):
+
+    filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
+    commands = ["$exiv2 " + filename]
+    stdout   = [""]
+    stderr   = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
+"""]
+    retval = [1]
+\ No newline at end of file
author	Leo <thinkabit.ukim@gmail.com>	2020-03-15 14:49:24 -0300
committer	Leo <thinkabit.ukim@gmail.com>	2020-03-15 14:51:20 -0300
commit	f7de796e6aaa9b44eed3b77e1c0e66fff453d454 (patch)
tree	29ae28975607b5b60570e8b478b2679c9da90f69
parent	6253a98c558a2be7f91db6f2582b52cd6a0fcbf0 (diff)
download	alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.bz2 alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.tar.xz alpine_aports-f7de796e6aaa9b44eed3b77e1c0e66fff453d454.zip

diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD index 40a1751094..15bd745aa2 100644 --- a/main/exiv2/APKBUILD +++ b/main/exiv2/APKBUILD
@@ -1,7 +1,7 @@
1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2	pkgname=exiv2	2	pkgname=exiv2
3	pkgver=0.27.2	3	pkgver=0.27.2
4	pkgrel=2	4	pkgrel=3
5	pkgdesc="Exif and Iptc metadata manipulation library and tools."	5	pkgdesc="Exif and Iptc metadata manipulation library and tools."
6	url="https://exiv2.org"	6	url="https://exiv2.org"
7	arch="all"	7	arch="all"
@@ -12,10 +12,13 @@ makedepends="$depends_dev cmake"
12	subpackages="$pkgname-dev $pkgname-doc"	12	subpackages="$pkgname-dev $pkgname-doc"
13	source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz	13	source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
14	CVE-2019-17402.patch	14	CVE-2019-17402.patch
		15	CVE-2019-20421.patch
15	"	16	"
16	builddir="$srcdir"/$pkgname-$pkgver-Source	17	builddir="$srcdir"/$pkgname-$pkgver-Source
17		18
18	# secfixes:	19	# secfixes:
		20	# 0.27.2-r3:
		21	# - CVE-2019-20421
19	# 0.27.2-r2:	22	# 0.27.2-r2:
20	# - CVE-2019-17402	23	# - CVE-2019-17402
21	# 0.27.2-r0:	24	# 0.27.2-r0:
@@ -52,4 +55,5 @@ package() {
52	}	55	}
53		56
54	sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz	57	sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz
55	da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch"	58	da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch
		59	b2b881e47e4cad8b04492f7475400af9f28fa8f9dfb1e96d4d0d8caa6a469e76aafc056023254446e1026be8270f1b094b5195fe44f18c87283f6c6d808c37ee CVE-2019-20421.patch"


diff --git a/main/exiv2/CVE-2019-20421.patch b/main/exiv2/CVE-2019-20421.patch new file mode 100644 index 0000000000..76b88a1a75 --- /dev/null +++ b/main/exiv2/CVE-2019-20421.patch
@@ -0,0 +1,117 @@
		1	From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
		2	From: clanmills <robin@clanmills.com>
		3	Date: Tue, 1 Oct 2019 17:39:44 +0100
		4	Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
		5
		6	---
		7	src/jp2image.cpp \| 25 +++++++++++++++----
		8	tests/bugfixes/github/test_CVE_2017_17725.py \| 4 +--
		9	tests/bugfixes/github/test_issue_1011.py \| 13 ++++++++++
		10	4 files changed, 35 insertions(+), 7 deletions(-)
		11	create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
		12	create mode 100644 tests/bugfixes/github/test_issue_1011.py
		13
		14	diff --git a/src/jp2image.cpp b/src/jp2image.cpp
		15	index d5cd1340a..0de088d62 100644
		16	--- a/src/jp2image.cpp
		17	+++ b/src/jp2image.cpp
		18	@@ -18,10 +18,6 @@
		19	* Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
		20	*/
		21
		22	-/*
		23	- File: jp2image.cpp
		24	-*/
		25	-
		26	// *****************************************************************************
		27
		28	// included header files
		29	@@ -197,6 +193,16 @@ namespace Exiv2
		30	return result;
		31	}
		32
		33	+static void boxes_check(size_t b,size_t m)
		34	+{
		35	+ if ( b > m ) {
		36	+#ifdef EXIV2_DEBUG_MESSAGES
		37	+ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
		38	+#endif
		39	+ throw Error(kerCorruptedMetadata);
		40	+ }
		41	+}
		42	+
		43	void Jp2Image::readMetadata()
		44	{
		45	#ifdef EXIV2_DEBUG_MESSAGES
		46	@@ -219,9 +225,12 @@ namespace Exiv2
		47	Jp2BoxHeader subBox = {0,0};
		48	Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
		49	Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
		50	+ size_t boxes = 0 ;
		51	+ size_t boxem = 1000 ; // boxes max
		52
		53	while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
		54	{
		55	+ boxes_check(boxes++,boxem );
		56	position = io_->tell();
		57	box.length = getLong((byte*)&box.length, bigEndian);
		58	box.type = getLong((byte*)&box.type, bigEndian);
		59	@@ -251,8 +260,12 @@ namespace Exiv2
		60
		61	while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
		62	{
		63	+ boxes_check(boxes++, boxem) ;
		64	subBox.length = getLong((byte*)&subBox.length, bigEndian);
		65	subBox.type = getLong((byte*)&subBox.type, bigEndian);
		66	+ if (subBox.length > io_->size() ) {
		67	+ throw Error(kerCorruptedMetadata);
		68	+ }
		69	#ifdef EXIV2_DEBUG_MESSAGES
		70	std::cout << "Exiv2::Jp2Image::readMetadata: "
		71	<< "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
		72	@@ -308,7 +321,9 @@ namespace Exiv2
		73	}
		74
		75	io_->seek(restore,BasicIo::beg);
		76	- io_->seek(subBox.length, Exiv2::BasicIo::cur);
		77	+ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
		78	+ throw Error(kerCorruptedMetadata);
		79	+ }
		80	restore = io_->tell();
		81	}
		82	break;
		83
		84	diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
		85	index 1127b9806..670a75d8d 100644
		86	--- a/tests/bugfixes/github/test_CVE_2017_17725.py
		87	+++ b/tests/bugfixes/github/test_CVE_2017_17725.py
		88	@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
		89	filename = "$data_path/poc_2017-12-12_issue188"
		90	commands = ["$exiv2 " + filename]
		91	stdout = [""]
		92	- stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
		93	-$addition_overflow_message
		94	+ stderr = ["""$exiv2_exception_message """ + filename + """:
		95	+$kerCorruptedMetadata
		96	"""]
		97	retval = [1]
		98	diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
		99	new file mode 100644
		100	index 000000000..415861188
		101	--- /dev/null
		102	+++ b/tests/bugfixes/github/test_issue_1011.py
		103	@@ -0,0 +1,13 @@
		104	+# -- coding: utf-8 --
		105	+
		106	+from system_tests import CaseMeta, path
		107	+
		108	+class Test_issue_1011(metaclass=CaseMeta):
		109	+
		110	+ filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
		111	+ commands = ["$exiv2 " + filename]
		112	+ stdout = [""]
		113	+ stderr = ["""$exiv2_exception_message """ + filename + """:
		114	+$kerCorruptedMetadata
		115	+"""]
		116	+ retval = [1]
		117	\ No newline at end of file