diff options
author | nia <nia@pkgsrc.org> | 2020-03-25 11:47:23 +0000 |
---|---|---|
committer | nia <nia@pkgsrc.org> | 2020-03-25 11:47:23 +0000 |
commit | 8cd07dad95cbae41916084e342bc559728622b58 (patch) | |
tree | a8323ff120b8493b3d6fe0352b88c288e5e6ee1e /graphics | |
parent | bb71bf97f4a6686f46800cfe696afd1b230d73c0 (diff) | |
download | pkgsrc-8cd07dad95cbae41916084e342bc559728622b58.tar.gz |
libexif: Apply upstream's fix for CVE-2019-9278
Diffstat (limited to 'graphics')
-rw-r--r-- | graphics/libexif/Makefile | 4 | ||||
-rw-r--r-- | graphics/libexif/distinfo | 4 | ||||
-rw-r--r-- | graphics/libexif/patches/patch-libexif_exif-data.c | 84 |
3 files changed, 76 insertions, 16 deletions
diff --git a/graphics/libexif/Makefile b/graphics/libexif/Makefile index 6c43e553ba4..ecbc78f3b4a 100644 --- a/graphics/libexif/Makefile +++ b/graphics/libexif/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.46 2020/02/20 15:36:17 nia Exp $ +# $NetBSD: Makefile,v 1.47 2020/03/25 11:47:23 nia Exp $ DISTNAME= libexif-0.6.21 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libexif/} EXTRACT_SUFX= .tar.bz2 diff --git a/graphics/libexif/distinfo b/graphics/libexif/distinfo index 99536fc085d..e2061adc22d 100644 --- a/graphics/libexif/distinfo +++ b/graphics/libexif/distinfo @@ -1,7 +1,7 @@ -$NetBSD: distinfo,v 1.30 2018/10/13 10:17:30 leot Exp $ +$NetBSD: distinfo,v 1.31 2020/03/25 11:47:23 nia Exp $ SHA1 (libexif-0.6.21.tar.bz2) = a52219b12dbc8d33fc096468591170fda71316c0 RMD160 (libexif-0.6.21.tar.bz2) = 979f06096b7271d8713c1766e0ad5dfabb06c531 SHA512 (libexif-0.6.21.tar.bz2) = 4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 Size (libexif-0.6.21.tar.bz2) = 1368435 bytes -SHA1 (patch-libexif_exif-data.c) = 50934bfb6686d411f0277d6e0868596347f5b5a5 +SHA1 (patch-libexif_exif-data.c) = 3518902f95665b53a62ba4e7fdc0b146fb4480dc diff --git a/graphics/libexif/patches/patch-libexif_exif-data.c b/graphics/libexif/patches/patch-libexif_exif-data.c index f99bf3a11c5..623de0b960e 100644 --- a/graphics/libexif/patches/patch-libexif_exif-data.c +++ b/graphics/libexif/patches/patch-libexif_exif-data.c @@ -1,20 +1,32 @@ -$NetBSD: patch-libexif_exif-data.c,v 1.1 2018/10/13 10:17:30 leot Exp $ +$NetBSD: patch-libexif_exif-data.c,v 1.2 2020/03/25 11:47:23 nia Exp $ -Backport patch to fix CVE-2017-7544 from upstream commit id -c39acd1692023b26290778a02a9232c873f9d71a: +Fix for CVE-2017-7544: +https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a.patch - <https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a> - -On saving makernotes, make sure the makernote container tags has a type with 1 -byte components. - -Fixes (at least): - https://sourceforge.net/p/libexif/bugs/130 - https://sourceforge.net/p/libexif/bugs/129 +Fix for CVE-2019-9278: +https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch --- libexif/exif-data.c.orig 2012-07-12 18:31:56.000000000 +0000 +++ libexif/exif-data.c -@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat +@@ -191,9 +191,15 @@ exif_data_load_data_entry (ExifData *dat + doff = offset + 8; + + /* Sanity checks */ +- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { ++ if (doff >= size) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Tag data past end of buffer (%u > %u)", doff+s, size); ++ "Tag starts past end of buffer (%u > %u)", doff, size); ++ return 0; ++ } ++ ++ if (s > size - doff) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", ++ "Tag data goes past end of buffer (%u > %u)", doff+s, size); + return 0; + } + +@@ -255,6 +261,12 @@ exif_data_save_data_entry (ExifData *dat exif_mnote_data_set_offset (data->priv->md, *ds - 6); exif_mnote_data_save (data->priv->md, &e->data, &e->size); e->components = e->size; @@ -27,3 +39,51 @@ Fixes (at least): } } +@@ -308,13 +320,14 @@ exif_data_load_data_thumbnail (ExifData + unsigned int ds, ExifLong o, ExifLong s) + { + /* Sanity checks */ +- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { +- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Bogus thumbnail offset (%u) or size (%u).", +- o, s); ++ if (o >= ds) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); ++ return; ++ } ++ if (s > ds - o) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +- + if (data->data) + exif_mem_free (data->priv->mem, data->data); + if (!(data->data = exif_data_alloc (data, s))) { +@@ -903,7 +916,7 @@ exif_data_load_data (ExifData *data, con + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 0 at %i.", (int) offset); + +- /* Sanity check the offset, being careful about overflow */ ++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ + if (offset > ds || offset + 6 + 2 > ds) + return; + +@@ -912,6 +925,7 @@ exif_data_load_data (ExifData *data, con + + /* IFD 1 offset */ + n = exif_get_short (d + 6 + offset, data->priv->order); ++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ + if (offset + 6 + 2 + 12 * n + 4 > ds) + return; + +@@ -920,8 +934,8 @@ exif_data_load_data (ExifData *data, con + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 1 at %i.", (int) offset); + +- /* Sanity check. */ +- if (offset > ds || offset + 6 > ds) { ++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ ++ if (offset > ds - 6) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifData", "Bogus offset of IFD1."); + } else { |