diff --git a/SOURCES/exiv2-CVE-2021-29457.patch b/SOURCES/exiv2-CVE-2021-29457.patch new file mode 100644 index 0000000..1d5b0b0 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-29457.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 88ab9b2d6..12025f966 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) + #endif + box.length = (uint32_t) (io_->size() - io_->tell() + 8); + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/SOURCES/exiv2-CVE-2021-29458.patch b/SOURCES/exiv2-CVE-2021-29458.patch new file mode 100644 index 0000000..64206b8 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-29458.patch @@ -0,0 +1,49 @@ +From 0a91b56616404f7b29ca28deb01ce18b767d1871 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Fri, 9 Apr 2021 13:26:23 +0100 +Subject: [PATCH 1/5] Fix incorrect delete. + +--- + src/crwimage_int.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index a44a67e2c..6f89fa8b8 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -579,7 +579,7 @@ namespace Exiv2 { + void CiffComponent::setValue(DataBuf buf) + { + if (isAllocated_) { +- delete pData_; ++ delete[] pData_; + pData_ = 0; + size_ = 0; + } + +From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Fri, 9 Apr 2021 13:37:48 +0100 +Subject: [PATCH 3/5] Fix integer overflow. + +--- + src/crwimage_int.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index 6f89fa8b8..7b958c26f 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -1187,7 +1187,11 @@ namespace Exiv2 { + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { + uint32_t size = 28; +- if (cc && cc->size() > size) size = cc->size(); ++ if (cc) { ++ if (cc->size() < size) ++ throw Error(kerCorruptedMetadata); ++ size = cc->size(); ++ } + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); + if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec index dbf6565..53bcc88 100644 --- a/SPECS/exiv2.spec +++ b/SPECS/exiv2.spec @@ -2,7 +2,7 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 Version: 0.27.3 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ @@ -12,6 +12,8 @@ Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz # Security fixes Patch50: exiv2-CVE-2021-3482.patch +Patch51: exiv2-CVE-2021-29458.patch +Patch52: exiv2-CVE-2021-29457.patch ## upstreamable patches # don't unconditionally use -fcf-protection flag, not supported on all archs @@ -126,6 +128,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Wed Apr 28 2021 Jan Grulich - 0.27.3-4 +- CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode + Resolves: bz#1953758 + +- CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata + Resolves: bz#1953772 + * Wed Apr 14 2021 Jan Grulich - 0.27.3-3 - CVE-2021-3482: Fix heap-based buffer overflow in Jp2Image::readMetadata() Resolves: bz#1947160