diff --git a/.exiv2.metadata b/.exiv2.metadata index d0ed7be..8b058fc 100644 --- a/.exiv2.metadata +++ b/.exiv2.metadata @@ -1 +1,3 @@ -5f1b460b10171c3b12cd540d699e9b815f6f3058 SOURCES/exiv2-0.27.3.tar.gz +ed620c568463179aca7847bee5fda40c11c08318 SOURCES/exiv2-0.27.4-Source.tar.gz +8bfcbc41598e9377d5938fbc75d63db3e6bd9bc9 SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2 +af7e1607f84dc143f09efaced2d6e05064238d4f SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 diff --git a/.gitignore b/.gitignore index 1648354..c7dbcb6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/exiv2-0.27.3.tar.gz +SOURCES/exiv2-0.27.4-Source.tar.gz +SOURCES/issue_ghsa_583f_w9pm_99r2_poc.jp2 +SOURCES/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 diff --git a/SOURCES/exiv2-0.27.3-fcf-protection.patch b/SOURCES/exiv2-0.27.3-fcf-protection.patch deleted file mode 100644 index 94a2c84..0000000 --- a/SOURCES/exiv2-0.27.3-fcf-protection.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection exiv2-0.27.3-Source/cmake/compilerFlags.cmake ---- exiv2-0.27.3-Source/cmake/compilerFlags.cmake.fcf-protection 2020-06-30 08:33:22.000000000 -0500 -+++ exiv2-0.27.3-Source/cmake/compilerFlags.cmake 2020-06-30 18:03:38.197967648 -0500 -@@ -26,7 +26,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Li - # This fails under Fedora, MinGW GCC 8.3.0 and CYGWIN/MSYS 9.3.0 - if (NOT (MINGW OR CMAKE_HOST_SOLARIS OR CYGWIN OR MSYS) ) - if (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 8.0) -- add_compile_options(-fstack-clash-protection -fcf-protection) -+ add_compile_options(-fstack-clash-protection) - endif() - - if( (COMPILER_IS_GCC AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 5.0) # Not in GCC 4.8 diff --git a/SOURCES/exiv2-CVE-2021-31291.patch b/SOURCES/exiv2-CVE-2021-31291.patch deleted file mode 100644 index 05c6138..0000000 --- a/SOURCES/exiv2-CVE-2021-31291.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 -From: Pydera -Date: Thu, 8 Apr 2021 17:36:16 +0200 -Subject: [PATCH] Fix out of buffer access in #1529 - ---- - src/jp2image.cpp | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 88ab9b2d61..12025f9664 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) - #endif - box.length = (uint32_t) (io_->size() - io_->tell() + 8); - } -- if (box.length == 1) -+ if (box.length < 8) - { -- // FIXME. Special case. the real box size is given in another place. -+ // box is broken, so there is nothing we can do here -+ throw Error(kerCorruptedMetadata); - } - - // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/SOURCES/exiv2-CVE-2021-37618.patch b/SOURCES/exiv2-CVE-2021-37618.patch new file mode 100644 index 0000000..ac3f866 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37618.patch @@ -0,0 +1,67 @@ +From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:39:08 +0100 +Subject: [PATCH 1/2] Regression test for + https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 + +--- + test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 | Bin 0 -> 32768 bytes + .../github/test_issue_ghsa_583f_w9pm_99r2.py | 18 ++++++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 + create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py + +diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py +new file mode 100644 +index 000000000..808916aee +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py +@@ -0,0 +1,18 @@ ++# -*- coding: utf-8 -*- ++ ++from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors ++ ++class Jp2ImagePrintStructureICC(metaclass=CaseMeta): ++ """ ++ Regression test for the bug described in: ++ https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 ++ """ ++ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2" ++ ++ filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2") ++ commands = ["$exiv2 -p C $filename"] ++ stdout = [""] ++ stderr = ["""Exiv2 exception in print action for file $filename: ++$kerCorruptedMetadata ++"""] ++ retval = [1] + +From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:40:03 +0100 +Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure + +--- + src/jp2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 3bf356629..2d6dc2118 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) + + if (subBox.type == kJp2BoxTypeColorHeader) { + long pad = 3; // don't know why there are 3 padding bytes ++ enforce(data.size_ >= pad, kerCorruptedMetadata); + if (bPrint) { + out << " | pad:"; + for (int i = 0; i < 3; i++) +@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) + if (bPrint) { + out << " | iccLength:" << iccLength; + } ++ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); + if (bICC) { + out.write((const char*)data.pData_ + pad, iccLength); + } diff --git a/SOURCES/exiv2-CVE-2021-37619.patch b/SOURCES/exiv2-CVE-2021-37619.patch new file mode 100644 index 0000000..0dca35b --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37619.patch @@ -0,0 +1,100 @@ +From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 16:47:12 +0100 +Subject: [PATCH 1/2] Regression test for + https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v + +--- + test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes + .../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 + create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py + +diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py +new file mode 100644 +index 0000000000..8f8b6676cf +--- /dev/null ++++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py +@@ -0,0 +1,18 @@ ++# -*- coding: utf-8 -*- ++ ++from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors ++@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") ++ ++class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta): ++ """ ++ Regression test for the bug described in: ++ https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v ++ """ ++ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v" ++ ++ filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") ++ commands = ["$exiv2 rm $filename"] ++ stdout = [""] ++ retval = [0] ++ ++ compare_stderr = check_no_ASAN_UBSAN_errors + +From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 16:47:50 +0100 +Subject: [PATCH 2/2] Fix incorrect loop condition. + +--- + src/jp2image.cpp | 6 ++++-- + .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b6a388542f..3bf3566294 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { +diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py +index c98b3815eb..44f6a906cb 100644 +--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py ++++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py +@@ -1,7 +1,7 @@ + # -*- coding: utf-8 -*- + +-from system_tests import CaseMeta, path +- ++from system_tests import CaseMeta, CopyTmpFiles, path ++@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") + + class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): + """ +@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): + """ + url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj" + +- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") +- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") ++ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") ++ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") + commands = ["$exiv2 in $filename1"] + stdout = [""] + stderr = [ + """Error: XMP Toolkit error 201: XML parsing failure + Warning: Failed to decode XMP metadata. +-$filename1: Could not write metadata to file: $kerCorruptedMetadata + """] +- retval = [1] ++ retval = [0] diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec index d3a92d4..29ac1a4 100644 --- a/SPECS/exiv2.spec +++ b/SPECS/exiv2.spec @@ -1,27 +1,31 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 -Version: 0.27.3 -Release: 3%{?dist} +Version: 0.27.4 +%global internal_ver %{version} +Release: 5%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ -Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz +Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz + +# POC files for upstream issues +Source1: issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 +Source2: issue_ghsa_583f_w9pm_99r2_poc.jp2 ## upstream patches (lookaside cache) +Patch1: exiv2-CVE-2021-37618.patch +Patch2: exiv2-CVE-2021-37619.patch + +# Security fixes ## upstreamable patches -# don't unconditionally use -fcf-protection flag, not supported on all archs -# fedora already includes this on archs that do support it -Patch100: exiv2-0.27.3-fcf-protection.patch -Patch101: exiv2-CVE-2021-31291.patch BuildRequires: cmake BuildRequires: expat-devel +BuildRequires: gcc-c++ BuildRequires: gettext BuildRequires: pkgconfig -BuildRequires: pkgconfig(libcurl) -BuildRequires: pkgconfig(libssh) BuildRequires: zlib-devel # docs BuildRequires: doxygen graphviz libxslt @@ -67,8 +71,10 @@ BuildArch: noarch %prep -%autosetup -n %{name}-%{version} -p1 +%autosetup -n %{name}-%{version}-Source -p1 +cp %{SOURCE1} test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 +cp %{SOURCE2} test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 %build %{cmake} . \ @@ -85,13 +91,10 @@ make install/fast DESTDIR=%{buildroot} %find_lang exiv2 --with-man -## unpackaged files -rm -fv %{buildroot}%{_libdir}/libexiv2.la -#rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm %check export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}" -test "$(pkg-config --modversion exiv2)" = "0.27.3" +test "$(pkg-config --modversion exiv2)" = "%{internal_ver}" test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}" test -x %{buildroot}%{_libdir}/libexiv2.so @@ -108,13 +111,14 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %files libs %{_libdir}/libexiv2.so.27* -%{_libdir}/libexiv2.so.0.27.3 +%{_libdir}/libexiv2.so.%{internal_ver} %files devel %{_includedir}/exiv2/ %{_libdir}/libexiv2.so %{_libdir}/pkgconfig/exiv2.pc %{_libdir}/cmake/exiv2/ +# todo: -static subpkg? -- rex %{_libdir}/libexiv2-xmp.a %files doc @@ -123,9 +127,54 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog -* Thu Aug 05 2021 Jan Grulich - 0.27.3-3 -- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS - Resolves: bz#1990355 +* Tue Aug 24 2021 Jan Grulich - 0.27.4-5 +- Include missing tests for CVEs + Resolves: bz#1993282 + Resolves: bz#1993245 + +* Wed Aug 18 2021 Jan Grulich - 0.27.4-4 +- Fix test for CVE-2021-29470 + Resolves: bz#1993245 + +* Wed Aug 18 2021 Jan Grulich - 0.27.4-3 +- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure + Resolves: bz#1993282 + +- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header + Resolves: bz#1993245 + +* Thu Aug 05 2021 Jan Grulich - 0.27.4-2 +- Do not duplicate changelog file + Resolves: bz#1989860 + +* Wed Aug 04 2021 Jan Grulich - 0.27.4-1 +- 0.27.4 + Resolves: bz#1989860 + +* Tue May 25 2021 Jan Grulich - 0.27.3-6 +- CVE-2021-29623 exiv2: a read of uninitialized memory may lead to information leak + Resolves: bz#1964182 + +- CVE-2021-32617 exiv2: DoS due to quadratic complexity in ProcessUTF8Portion + Resolves: bz#1964188 + +* Thu Apr 29 2021 Jan Grulich - 0.27.3-5 +- CVE-2021-29473 exiv2: out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata + Resolves: bz#1954065 + +- CVE-2021-29470 exiv2: out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header + Resolves: bz#1955014 + +* Wed Apr 28 2021 Jan Grulich - 0.27.3-4 +- CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode + Resolves: bz#1953758 + +- CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata + Resolves: bz#1953772 + +* Wed Apr 14 2021 Jan Grulich - 0.27.3-3 +- CVE-2021-3482: Fix heap-based buffer overflow in Jp2Image::readMetadata() + Resolves: bz#1947160 * Wed Oct 7 2020 Jan Grulich - 0.27.3-2 - Avoid duplicating Changelog file