diff --git a/SOURCES/CVE-2017-18233.patch b/SOURCES/CVE-2017-18233.patch new file mode 100644 index 0000000..86d7cd0 --- /dev/null +++ b/SOURCES/CVE-2017-18233.patch @@ -0,0 +1,27 @@ +From 1b08dc2917b5d5972a3f87be3e9b76a4f3398d8d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= +Date: Mon, 14 Aug 2017 23:57:51 -0400 +Subject: [PATCH 1/5] Bug 102151 - RIFF: fix an infinite loop cause by an + overflow + +--- + source/XMPFiles/FormatSupport/RIFF.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source/XMPFiles/FormatSupport/RIFF.cpp b/source/XMPFiles/FormatSupport/RIFF.cpp +index 3992edd..00f67e5 100644 +--- a/source/XMPFiles/FormatSupport/RIFF.cpp ++++ b/source/XMPFiles/FormatSupport/RIFF.cpp +@@ -155,7 +155,8 @@ Chunk::Chunk( ContainerChunk* parent, RIFF_MetaHandler* handler, bool skip, Chun + + this->oldPos = LFA_Tell( file ); + this->id = LFA_ReadUns32_LE( file ); +- this->oldSize = LFA_ReadUns32_LE( file ) + 8; ++ this->oldSize = LFA_ReadUns32_LE( file ); ++ this->oldSize += 8; + + // Make sure the size is within expected bounds. + XMP_Int64 chunkEnd = this->oldPos + this->oldSize; +-- +2.17.2 + diff --git a/SOURCES/CVE-2017-18234.patch b/SOURCES/CVE-2017-18234.patch new file mode 100644 index 0000000..988233e --- /dev/null +++ b/SOURCES/CVE-2017-18234.patch @@ -0,0 +1,93 @@ +From 70567edd9fc8753cc176de02b1d96f504a14e82c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= +Date: Sun, 26 Mar 2017 01:10:11 -0400 +Subject: [PATCH 2/5] Bug 100397 - Fix crash on malformed JPEG file + +--- + source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp | 10 +++++++--- + source/XMPFiles/FormatSupport/TIFF_Support.hpp | 13 ++++++++++++- + source/common/EndianUtils.hpp | 9 +++++++++ + 3 files changed, 28 insertions(+), 4 deletions(-) + +diff --git a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp +index 316cea0..1446cb4 100644 +--- a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp ++++ b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp +@@ -65,7 +65,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) + } else if ( thisTag == prevTag ) { + + // Duplicate tag, keep the 2nd copy, move the tail of the array up, prevTag is unchanged. +- memcpy ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // AUDIT: Safe, moving tail forward, i >= 1. ++ memmove ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // may overlap -- Hub + --tagCount; + --i; // ! Don't move forward in the array, we've moved the unseen part up. + +@@ -81,7 +81,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) + + // Out of order duplicate, move it to position j, move the tail of the array up. + ifdEntries[j] = ifdEntries[i]; +- memcpy ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // AUDIT: Safe, moving tail forward, i >= 1. ++ memmove ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // may overlap -- Hub + --tagCount; + --i; // ! Don't move forward in the array, we've moved the unseen part up. + +@@ -212,7 +212,11 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con + info->dataLen = thisTag->bytes; + + info->dataPtr = this->GetDataPtr ( thisTag ); +- ++ // Here we know that if it is NULL, it is wrong. -- Hub ++ // GetDataPtr will return NULL in case of overflow. ++ if (info->dataPtr == NULL) { ++ return false; ++ } + } + + return true; +diff --git a/source/XMPFiles/FormatSupport/TIFF_Support.hpp b/source/XMPFiles/FormatSupport/TIFF_Support.hpp +index 9af76c4..95badba 100644 +--- a/source/XMPFiles/FormatSupport/TIFF_Support.hpp ++++ b/source/XMPFiles/FormatSupport/TIFF_Support.hpp +@@ -723,7 +723,18 @@ private: + const TweakedIFDEntry* FindTagInIFD ( XMP_Uns8 ifd, XMP_Uns16 id ) const; + + const inline void* GetDataPtr ( const TweakedIFDEntry* tifdEntry ) const +- { if ( tifdEntry->bytes <= 4 ) return &tifdEntry->dataOrPos; else return (this->tiffStream + tifdEntry->dataOrPos); }; ++ { if ( GetUns32AsIs(&tifdEntry->bytes) <= 4 ) { ++ return &tifdEntry->dataOrPos; ++ } else { ++ XMP_Uns32 pos = GetUns32AsIs(&tifdEntry->dataOrPos); ++ if (pos + GetUns32AsIs(&tifdEntry->bytes) > this->tiffLength) { ++ // Invalid file. ++ // The data is past the length of the TIFF. ++ return NULL; ++ } ++ return (this->tiffStream + pos); ++ } ++ } + + static inline void NotAppropriate() { XMP_Throw ( "Not appropriate for TIFF_Reader", kXMPErr_InternalFailure ); }; + +diff --git a/source/common/EndianUtils.hpp b/source/common/EndianUtils.hpp +index 59e2e32..0e2e2fe 100644 +--- a/source/common/EndianUtils.hpp ++++ b/source/common/EndianUtils.hpp +@@ -148,6 +148,15 @@ GetUns32LE ( const void * addr ) + + // ------------------------------------------------------------------------------------------------- + ++static inline XMP_Uns32 ++GetUns32AsIs ( const void * addr ) ++{ ++ XMP_Uns32 value = *((XMP_Uns32*)addr); ++ return value; // Use this to avoid SPARC failure to handle unaligned loads and stores. ++} ++ ++// ------------------------------------------------------------------------------------------------- ++ + static inline XMP_Uns64 + GetUns64BE ( const void * addr ) + { +-- +2.17.2 + diff --git a/SOURCES/CVE-2017-18236.patch b/SOURCES/CVE-2017-18236.patch new file mode 100644 index 0000000..ec45a6c --- /dev/null +++ b/SOURCES/CVE-2017-18236.patch @@ -0,0 +1,25 @@ +From 6e59eea0adc5d8e0a1fc30a509a229b79e93d785 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= +Date: Fri, 2 Feb 2018 09:55:53 -0500 +Subject: [PATCH 3/5] Bug 102484 - Fix an infinite loop in ASF parser. + +--- + source/XMPFiles/FormatSupport/ASF_Support.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source/XMPFiles/FormatSupport/ASF_Support.cpp b/source/XMPFiles/FormatSupport/ASF_Support.cpp +index 1180f9d..e57b56d 100644 +--- a/source/XMPFiles/FormatSupport/ASF_Support.cpp ++++ b/source/XMPFiles/FormatSupport/ASF_Support.cpp +@@ -266,6 +266,8 @@ bool ASF_Support::ReadHeaderObject ( LFA_FileRef fileRef, ObjectState& inOutObje + + this->ReadHeaderExtensionObject ( fileRef, inOutObjectState, pos, objectBase ); + ++ } else if (objectBase.size == 0) { ++ break; + } + + pos += objectBase.size; +-- +2.17.2 + diff --git a/SOURCES/CVE-2017-18238.patch b/SOURCES/CVE-2017-18238.patch new file mode 100644 index 0000000..25a3b85 --- /dev/null +++ b/SOURCES/CVE-2017-18238.patch @@ -0,0 +1,26 @@ +From 6b8fdef590ee1a68fa62eb3cc201e61081800f9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= +Date: Thu, 1 Feb 2018 21:02:45 -0500 +Subject: [PATCH 4/5] Bug 102483 - Fix an infinite loop in QuickTime parser. + +--- + source/XMPFiles/FormatSupport/QuickTime_Support.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source/XMPFiles/FormatSupport/QuickTime_Support.cpp b/source/XMPFiles/FormatSupport/QuickTime_Support.cpp +index 31091ea..94ca145 100644 +--- a/source/XMPFiles/FormatSupport/QuickTime_Support.cpp ++++ b/source/XMPFiles/FormatSupport/QuickTime_Support.cpp +@@ -737,7 +737,8 @@ bool TradQT_Manager::ParseCachedBoxes ( const MOOV_Manager & moovMgr ) + + miniLen = 4 + GetUns16BE ( boxPtr ); // ! Include header in local miniLen. + macLang = GetUns16BE ( boxPtr+2); +- if ( (miniLen <= 4) || (miniLen > (boxEnd - boxPtr)) ) continue; // Ignore bad or empty values. ++ if ( (miniLen <= 4) || (miniLen > (boxEnd - boxPtr)) ) ++ break; // Ignore bad or empty values. + + XMP_StringPtr valuePtr = (char*)(boxPtr+4); + size_t valueLen = miniLen - 4; +-- +2.17.2 + diff --git a/SOURCES/CVE-2018-7730.patch b/SOURCES/CVE-2018-7730.patch new file mode 100644 index 0000000..e5f3335 --- /dev/null +++ b/SOURCES/CVE-2018-7730.patch @@ -0,0 +1,29 @@ +From d942fea1cf7891818de357e08319d881b0f2f0df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= +Date: Sun, 25 Feb 2018 13:28:28 -0500 +Subject: [PATCH 5/5] Bug 105204 - Fix a buffer overflow in PSD parser + +--- + source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp +index 0e57b49..bed14b0 100644 +--- a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp ++++ b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp +@@ -291,6 +291,12 @@ void PSIR_FileWriter::ParseFileResources ( LFA_FileRef fileRef, XMP_Uns32 length + ioBuf.ptr += paddedLen; // Move to the data length. + XMP_Uns32 dataLen = GetUns32BE(ioBuf.ptr); + XMP_Uns32 dataTotal = ((dataLen + 1) & 0xFFFFFFFEUL); // Round up to an even total. ++ // See bug https://bugs.freedesktop.org/show_bug.cgi?id=105204 ++ // If dataLen is 0xffffffff, then dataTotal might be 0 ++ // and therefor make the CheckFileSpace test pass. ++ if (dataTotal < dataLen) { ++ break; ++ } + ioBuf.ptr += 4; // Advance to the resource data. + + XMP_Int64 thisDataPos = ioBuf.filePos + (ioBuf.ptr - ioBuf.data); +-- +2.17.2 + diff --git a/SPECS/exempi.spec b/SPECS/exempi.spec index 39dfd20..9a70823 100644 --- a/SPECS/exempi.spec +++ b/SPECS/exempi.spec @@ -1,11 +1,17 @@ Summary: Library for easy parsing of XMP metadata Name: exempi Version: 2.2.0 -Release: 8%{?dist} +Release: 9%{?dist} License: BSD Group: System Environment/Libraries URL: http://libopenraw.freedesktop.org/wiki/Exempi Source0: http://libopenraw.freedesktop.org/download/%{name}-%{version}.tar.bz2 +Patch0: CVE-2017-18233.patch +Patch1: CVE-2017-18234.patch +Patch2: CVE-2017-18236.patch +Patch3: CVE-2017-18238.patch +Patch4: CVE-2018-7730.patch + BuildRequires: boost-devel expat-devel zlib-devel pkgconfig Provides: bundled(md5-polstra) @@ -26,6 +32,11 @@ developing with exempi. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build @@ -62,6 +73,18 @@ rm -rf %{buildroot}%{_libdir}/*.a %{_libdir}/pkgconfig/*.pc %changelog +* Wed Dec 05 2018 Nikola Forró - 2.2.0-9 +- Fix CVE-2017-18233 + resolves: #1574865 +- Fix CVE-2017-18234 + resolves: #1656011 +- Fix CVE-2017-18236 + resolves: #1574905 +- Fix CVE-2017-18238 + resolves: #1572270 +- Fix CVE-2018-7730 + resolves: #1572631 + * Fri Jan 24 2014 Daniel Mach - 2.2.0-8 - Mass rebuild 2014-01-24