FreeBSD Bugzilla – Attachment 211587 Details for
Bug 244060
graphics/libexif: Fix security vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
libexif-security.patch
libexif-security.patch (text/plain), 8.08 KB, created by
Danilo G. Baio
on 2020-02-12 12:15:47 UTC
(
hide
)
Description:
libexif-security.patch
Filename:
MIME Type:
Creator:
Danilo G. Baio
Created:
2020-02-12 12:15:47 UTC
Size:
8.08 KB
patch
obsolete
>Index: graphics/libexif/Makefile >=================================================================== >--- graphics/libexif/Makefile (revisão 525892) >+++ graphics/libexif/Makefile (cópia de trabalho) >@@ -3,7 +3,7 @@ > > PORTNAME= libexif > PORTVERSION= 0.6.21 >-PORTREVISION= 4 >+PORTREVISION= 5 > CATEGORIES= graphics > MASTER_SITES= SF > >Index: graphics/libexif/files/patch-CVE-2019-9278 >=================================================================== >--- graphics/libexif/files/patch-CVE-2019-9278 (nonexistent) >+++ graphics/libexif/files/patch-CVE-2019-9278 (cópia de trabalho) >@@ -0,0 +1,86 @@ >+https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch >+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001 >+From: Marcus Meissner <meissner@suse.de> >+Date: Sat, 18 Jan 2020 09:29:42 +0100 >+Subject: [PATCH] fix CVE-2019-9278 >+ >+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) >+ >+check for the actual sizes, which should also handle the overflows >+document other places google patched, but do not seem relevant due to other restrictions >+ >+fixes https://github.com/libexif/libexif/issues/26 >+--- >+ libexif/exif-data.c | 28 ++++++++++++++++++---------- >+ 1 file changed, 18 insertions(+), 10 deletions(-) >+ >+diff --git libexif/exif-data.c libexif/exif-data.c >+index a6f9c94..6332cd1 100644 >+--- libexif/exif-data.c >++++ libexif/exif-data.c >+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, >+ doff = offset + 8; >+ >+ /* Sanity checks */ >+- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { >++ if (doff >= size) { >+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", >+- "Tag data past end of buffer (%u > %u)", doff+s, size); >++ "Tag starts past end of buffer (%u > %u)", doff, size); >++ return 0; >++ } >++ >++ if (s > size - doff) { >++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", >++ "Tag data goes past end of buffer (%u > %u)", doff+s, size); >+ return 0; >+ } >+ >+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, >+ unsigned int ds, ExifLong o, ExifLong s) >+ { >+ /* Sanity checks */ >+- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { >+- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", >+- "Bogus thumbnail offset (%u) or size (%u).", >+- o, s); >++ if (o >= ds) { >++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); >++ return; >++ } >++ if (s > ds - o) { >++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); >+ return; >+ } >+- >+ if (data->data) >+ exif_mem_free (data->priv->mem, data->data); >+ if (!(data->data = exif_data_alloc (data, s))) { >+@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, >+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", >+ "IFD 0 at %i.", (int) offset); >+ >+- /* Sanity check the offset, being careful about overflow */ >++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ >+ if (offset > ds || offset + 6 + 2 > ds) >+ return; >+ >+@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, >+ >+ /* IFD 1 offset */ >+ n = exif_get_short (d + 6 + offset, data->priv->order); >++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ >+ if (offset + 6 + 2 + 12 * n + 4 > ds) >+ return; >+ >+@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, >+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", >+ "IFD 1 at %i.", (int) offset); >+ >+- /* Sanity check. */ >+- if (offset > ds || offset + 6 > ds) { >++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ >++ if (offset > ds - 6) { >+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, >+ "ExifData", "Bogus offset of IFD1."); >+ } else { > >Property changes on: graphics/libexif/files/patch-CVE-2019-9278 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: graphics/libexif/files/patch-chromium-7344-and-14543 >=================================================================== >--- graphics/libexif/files/patch-chromium-7344-and-14543 (nonexistent) >+++ graphics/libexif/files/patch-chromium-7344-and-14543 (cópia de trabalho) >@@ -0,0 +1,35 @@ >+https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff.patch >+From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001 >+From: Dan Fandrich <dan@coneharvesters.com> >+Date: Wed, 4 Jul 2018 11:06:09 +0200 >+Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value >+ >+While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past >+the end of a heap buffer. This was detected by the OSS Fuzz project. >+Patch from Google. >+ >+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and >+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543 >+--- >+ libexif/exif-entry.c | 4 ++-- >+ 1 file changed, 2 insertions(+), 2 deletions(-) >+ >+diff --git libexif/exif-entry.c libexif/exif-entry.c >+index 61260d3..a224ac2 100644 >+--- libexif/exif-entry.c >++++ libexif/exif-entry.c >+@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) >+ d = 0.; >+ entry = exif_content_get_entry ( >+ e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); >+- if (entry && entry->data && >++ if (entry && entry->data && entry->size >= 7 && >+ !strncmp ((char *)entry->data, "Minolta", 7)) { >+ entry = exif_content_get_entry ( >+ e->parent->parent->ifd[EXIF_IFD_0], >+ EXIF_TAG_MODEL); >+- if (entry && entry->data) { >++ if (entry && entry->data && entry->size >= 8) { >+ if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) >+ d = 3.9; >+ else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) > >Property changes on: graphics/libexif/files/patch-chromium-7344-and-14543 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: graphics/libexif/files/patch-chromium-8884 >=================================================================== >--- graphics/libexif/files/patch-chromium-8884 (nonexistent) >+++ graphics/libexif/files/patch-chromium-8884 (cópia de trabalho) >@@ -0,0 +1,24 @@ >+https://github.com/libexif/libexif/commit/a0c04d9cb6ab0c41a6458def9f892754e84160a0.patch >+From a0c04d9cb6ab0c41a6458def9f892754e84160a0 Mon Sep 17 00:00:00 2001 >+From: Marcus Meissner <marcus@jet.franken.de> >+Date: Sat, 15 Jun 2019 18:40:48 +0200 >+Subject: [PATCH] fixed a buffer overread (OSS-Fuzz) >+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8884 >+ >+--- >+ libexif/olympus/exif-mnote-data-olympus.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git libexif/olympus/exif-mnote-data-olympus.c libexif/olympus/exif-mnote-data-olympus.c >+index dac7f5b..669e4ec 100644 >+--- libexif/olympus/exif-mnote-data-olympus.c >++++ libexif/olympus/exif-mnote-data-olympus.c >+@@ -344,7 +344,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, >+ >+ case nikonV2: >+ o2 += 6; >+- if (o2 >= buf_size) return; >++ if (o2 + 8 >= buf_size) return; >+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", >+ "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, " >+ "%02x, %02x, %02x, %02x, %02x)...", > >Property changes on: graphics/libexif/files/patch-chromium-8884 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=211587">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dbaio
:
maintainer-approval?
(marius)
Actions:
View
|
Diff
Attachments on
bug 244060
:
211573
| 211587