From 295e857f205c852f578e5e0f6dc3df07d8b6a0a9 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 28 2020 09:23:39 +0000
Subject: import exiv2-0.27.2-5.el8


---

diff --git a/SOURCES/exiv2-CVE-2019-20421.patch b/SOURCES/exiv2-CVE-2019-20421.patch
new file mode 100644
index 0000000..ea8356a
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2019-20421.patch
@@ -0,0 +1,97 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+---
+ src/jp2image.cpp                             |  25 +++++++++++++++----
+ test/data/Jp2Image_readMetadata_loop.poc     | Bin 0 -> 738 bytes
+ tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
+ tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+  */
+
+-/*
+-  File:      jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+         return result;
+     }
+
++static void boxes_check(size_t b,size_t m)
++{
++    if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++        throw Error(kerCorruptedMetadata);
++    }
++}
++
+     void Jp2Image::readMetadata()
+     {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+         Jp2BoxHeader      subBox    = {0,0};
+         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
+         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++        size_t            boxes     = 0 ;
++        size_t            boxem     = 1000 ; // boxes max
+
+         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+         {
++            boxes_check(boxes++,boxem );
+             position   = io_->tell();
+             box.length = getLong((byte*)&box.length, bigEndian);
+             box.type   = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+
+                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+                     {
++                        boxes_check(boxes++, boxem) ;
+                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
++                        if (subBox.length > io_->size() ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+ #ifdef EXIV2_DEBUG_MESSAGES
+                         std::cout << "Exiv2::Jp2Image::readMetadata: "
+                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+                         }
+
+                         io_->seek(restore,BasicIo::beg);
+-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
++                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+                         restore = io_->tell();
+                     }
+                     break;
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
++++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+     filename = "$data_path/poc_2017-12-12_issue188"
+     commands = ["$exiv2 " + filename]
+     stdout = [""]
+-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
++    stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
+ """]
+     retval = [1]
diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec
index 9d93de7..d163b60 100644
--- a/SPECS/exiv2.spec
+++ b/SPECS/exiv2.spec
@@ -2,14 +2,14 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
 Version: 0.27.2
-Release: 2%{?dist}
+Release: 5%{?dist}
 
 License: GPLv2+
 URL:     http://www.exiv2.org/
 Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz
 
 ## upstream patches (lookaside cache)
-
+Patch0:  exiv2-CVE-2019-20421.patch
 
 ## upstreamable patches
 
@@ -120,6 +120,18 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Wed Mar 04 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-5
+- Fix failing test
+  Resolves: bz#1800472
+
+* Wed Mar 04 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-4
+- Drop test for the previous CVE as we test it manually and we don't have POC available
+  Resolves: bz#1800472
+
+* Wed Feb 26 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-3
+- Fix infinite loop and hang in Jp2Image::readMetadata()
+  Resolves: bz#1800472
+
 * Tue Oct 29 2019 Jan Grulich <jgrulich@redhat.com> - 0.27.2-2
   Rebuild
   Resolves: bz#1651917