diff options
| author | wangmy <wangmy@fujitsu.com> | 2021-05-18 16:03:32 +0800 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2021-05-19 09:17:49 -0700 |
| commit | 8c9470bdfaa1d33347ffaf25b3e18d2163667e18 (patch) | |
| tree | 1db2643050d78f7264f1fa831a1b0759e6e49391 | |
| parent | 9e7c2c9713dc2824af2a33b0a3feb4f29e7f0269 (diff) | |
| download | meta-openembedded-8c9470bdfaa1d33347ffaf25b3e18d2163667e18.tar.gz | |
exiv2: Fix CVE-2021-29464
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
| -rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch | 72 | ||||
| -rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch new file mode 100644 index 000000000..f0c482450 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Wang Mingyu <wangmy@fujitsu.com> | ||
| 3 | Date: Tue, 18 May 2021 10:52:54 +0900 | ||
| 4 | Subject: [PATCH] modify | ||
| 5 | |||
| 6 | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> | ||
| 7 | --- | ||
| 8 | src/jp2image.cpp | 14 +++++++++----- | ||
| 9 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
| 10 | |||
| 11 | diff --git a/src/jp2image.cpp b/src/jp2image.cpp | ||
| 12 | index 52723a4..0ac4f50 100644 | ||
| 13 | --- a/src/jp2image.cpp | ||
| 14 | +++ b/src/jp2image.cpp | ||
| 15 | @@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m) | ||
| 16 | void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) | ||
| 17 | { | ||
| 18 | DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space | ||
| 19 | - int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? | ||
| 20 | - int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? | ||
| 21 | + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? | ||
| 22 | + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? | ||
| 23 | Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; | ||
| 24 | - int32_t length = getLong((byte*)&pBox->length, bigEndian); | ||
| 25 | - int32_t count = sizeof (Jp2BoxHeader); | ||
| 26 | + uint32_t length = getLong((byte*)&pBox->length, bigEndian); | ||
| 27 | + uint32_t count = sizeof (Jp2BoxHeader); | ||
| 28 | char* p = (char*) boxBuf.pData_; | ||
| 29 | bool bWroteColor = false ; | ||
| 30 | |||
| 31 | @@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m) | ||
| 32 | #ifdef EXIV2_DEBUG_MESSAGES | ||
| 33 | std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl; | ||
| 34 | #endif | ||
| 35 | + enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata); | ||
| 36 | count += subBox.length; | ||
| 37 | newBox.type = subBox.type; | ||
| 38 | } else { | ||
| 39 | @@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m) | ||
| 40 | count = length; | ||
| 41 | } | ||
| 42 | |||
| 43 | - int32_t newlen = subBox.length; | ||
| 44 | + uint32_t newlen = subBox.length; | ||
| 45 | if ( newBox.type == kJp2BoxTypeColorHeader ) { | ||
| 46 | bWroteColor = true ; | ||
| 47 | if ( ! iccProfileDefined() ) { | ||
| 48 | const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid"; | ||
| 49 | uint32_t psize = 15; | ||
| 50 | + enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); | ||
| 51 | ul2Data((byte*)&newBox.length,psize ,bigEndian); | ||
| 52 | ul2Data((byte*)&newBox.type ,newBox.type,bigEndian); | ||
| 53 | ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox)); | ||
| 54 | @@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m) | ||
| 55 | } else { | ||
| 56 | const char* pad = "\0x02\x00\x00"; | ||
| 57 | uint32_t psize = 3; | ||
| 58 | + enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); | ||
| 59 | ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian); | ||
| 60 | ul2Data((byte*)&newBox.type,newBox.type,bigEndian); | ||
| 61 | ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) ); | ||
| 62 | @@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m) | ||
| 63 | newlen = psize + iccProfile_.size_; | ||
| 64 | } | ||
| 65 | } else { | ||
| 66 | + enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); | ||
| 67 | ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length); | ||
| 68 | } | ||
| 69 | |||
| 70 | -- | ||
| 71 | 2.25.1 | ||
| 72 | |||
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 8c4c81799..024f4c794 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | |||
| @@ -13,6 +13,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat | |||
| 13 | file://CVE-2021-29457.patch \ | 13 | file://CVE-2021-29457.patch \ |
| 14 | file://CVE-2021-29458.patch \ | 14 | file://CVE-2021-29458.patch \ |
| 15 | file://CVE-2021-29463.patch \ | 15 | file://CVE-2021-29463.patch \ |
| 16 | file://CVE-2021-29464.patch \ | ||
| 16 | file://CVE-2021-3482.patch" | 17 | file://CVE-2021-3482.patch" |
| 17 | 18 | ||
| 18 | S = "${WORKDIR}/${BPN}-${PV}-Source" | 19 | S = "${WORKDIR}/${BPN}-${PV}-Source" |