diff --git a/SOURCES/exiv2-CVE-2021-37618.patch b/SOURCES/exiv2-CVE-2021-37618.patch new file mode 100644 index 0000000..b658a39 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37618.patch @@ -0,0 +1,29 @@ +From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Mon, 5 Jul 2021 10:40:03 +0100 +Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure + +--- + src/jp2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 3bf356629..2d6dc2118 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) + + if (subBox.type == kJp2BoxTypeColorHeader) { + long pad = 3; // don't know why there are 3 padding bytes ++ enforce(data.size_ >= pad, kerCorruptedMetadata); + if (bPrint) { + out << " | pad:"; + for (int i = 0; i < 3; i++) +@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) + if (bPrint) { + out << " | iccLength:" << iccLength; + } ++ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); + if (bICC) { + out.write((const char*)data.pData_ + pad, iccLength); + } diff --git a/SOURCES/exiv2-CVE-2021-37619.patch b/SOURCES/exiv2-CVE-2021-37619.patch new file mode 100644 index 0000000..2572914 --- /dev/null +++ b/SOURCES/exiv2-CVE-2021-37619.patch @@ -0,0 +1,62 @@ +From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 30 Jun 2021 16:47:50 +0100 +Subject: [PATCH 2/2] Fix incorrect loop condition. + +--- + src/jp2image.cpp | 6 ++++-- + .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b6a388542f..3bf3566294 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { +diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py +index c98b3815eb..44f6a906cb 100644 +--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py ++++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py +@@ -1,7 +1,7 @@ + # -*- coding: utf-8 -*- + +-from system_tests import CaseMeta, path +- ++from system_tests import CaseMeta, CopyTmpFiles, path ++@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") + + class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): + """ +@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): + """ + url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj" + +- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") +- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") ++ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") ++ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") + commands = ["$exiv2 in $filename1"] + stdout = [""] + stderr = [ + """Error: XMP Toolkit error 201: XML parsing failure + Warning: Failed to decode XMP metadata. +-$filename1: Could not write metadata to file: $kerCorruptedMetadata + """] +- retval = [1] ++ retval = [0] diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec index 71b4eb7..6d31bab 100644 --- a/SPECS/exiv2.spec +++ b/SPECS/exiv2.spec @@ -3,13 +3,15 @@ Summary: Exif and Iptc metadata manipulation library Name: exiv2 Version: 0.27.4 %global internal_ver %{version} -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2+ URL: http://www.exiv2.org/ Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz ## upstream patches (lookaside cache) +Patch1: exiv2-CVE-2021-37618.patch +Patch2: exiv2-CVE-2021-37619.patch # Security fixes @@ -119,6 +121,17 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %changelog +* Wed Aug 18 2021 Jan Grulich - 0.27.4-4 +- Fix test for CVE-2021-29470 + Resolves: bz#1993245 + +* Wed Aug 18 2021 Jan Grulich - 0.27.4-3 +- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure + Resolves: bz#1993282 + +- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header + Resolves: bz#1993245 + * Thu Aug 05 2021 Jan Grulich - 0.27.4-2 - Do not duplicate changelog file Resolves: bz#1989860