diff options
author | wangmy <wangmy@fujitsu.com> | 2021-05-18 16:03:30 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2021-05-19 09:17:49 -0700 |
commit | 8e63ac6c86852a12408c2415be073c71420758ff (patch) | |
tree | aeb7f8c9d679371513540c89c44fabd8875b2447 /meta-oe/recipes-support/exiv2 | |
parent | f0d83c14d9064ce1ee19b92d95c8daf790fe7488 (diff) | |
download | meta-openembedded-8e63ac6c86852a12408c2415be073c71420758ff.tar.gz |
exiv2: Fix CVE-2021-29463
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b]
CVE: CVE-2021-29463
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/exiv2')
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch | 120 | ||||
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 |
2 files changed, 122 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch new file mode 100644 index 000000000..5ab64a7d3 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch | |||
@@ -0,0 +1,120 @@ | |||
1 | From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kevin Backhouse <kevinbackhouse@github.com> | ||
3 | Date: Mon, 19 Apr 2021 18:06:00 +0100 | ||
4 | Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata() | ||
5 | |||
6 | --- | ||
7 | src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++----------- | ||
8 | 1 file changed, 30 insertions(+), 11 deletions(-) | ||
9 | |||
10 | diff --git a/src/webpimage.cpp b/src/webpimage.cpp | ||
11 | index 4ddec544c..fee110bca 100644 | ||
12 | --- a/src/webpimage.cpp | ||
13 | +++ b/src/webpimage.cpp | ||
14 | @@ -145,7 +145,7 @@ namespace Exiv2 { | ||
15 | DataBuf chunkId(WEBP_TAG_SIZE+1); | ||
16 | chunkId.pData_ [WEBP_TAG_SIZE] = '\0'; | ||
17 | |||
18 | - io_->read(data, WEBP_TAG_SIZE * 3); | ||
19 | + readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata); | ||
20 | uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian); | ||
21 | |||
22 | /* Set up header */ | ||
23 | @@ -185,13 +185,20 @@ namespace Exiv2 { | ||
24 | case we have any exif or xmp data, also check | ||
25 | for any chunks with alpha frame/layer set */ | ||
26 | while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { | ||
27 | - io_->read(chunkId.pData_, WEBP_TAG_SIZE); | ||
28 | - io_->read(size_buff, WEBP_TAG_SIZE); | ||
29 | - long size = Exiv2::getULong(size_buff, littleEndian); | ||
30 | + readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); | ||
31 | + readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); | ||
32 | + const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); | ||
33 | + | ||
34 | + // Check that `size_u32` is safe to cast to `long`. | ||
35 | + enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), | ||
36 | + Exiv2::kerCorruptedMetadata); | ||
37 | + const long size = static_cast<long>(size_u32); | ||
38 | DataBuf payload(size); | ||
39 | - io_->read(payload.pData_, payload.size_); | ||
40 | - byte c; | ||
41 | - if ( payload.size_ % 2 ) io_->read(&c,1); | ||
42 | + readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata); | ||
43 | + if ( payload.size_ % 2 ) { | ||
44 | + byte c; | ||
45 | + readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata); | ||
46 | + } | ||
47 | |||
48 | /* Chunk with information about features | ||
49 | used in the file. */ | ||
50 | @@ -199,6 +206,7 @@ namespace Exiv2 { | ||
51 | has_vp8x = true; | ||
52 | } | ||
53 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) { | ||
54 | + enforce(size >= 10, Exiv2::kerCorruptedMetadata); | ||
55 | has_size = true; | ||
56 | byte size_buf[WEBP_TAG_SIZE]; | ||
57 | |||
58 | @@ -227,6 +235,7 @@ namespace Exiv2 { | ||
59 | } | ||
60 | #endif | ||
61 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) { | ||
62 | + enforce(size >= 10, Exiv2::kerCorruptedMetadata); | ||
63 | has_size = true; | ||
64 | byte size_buf[2]; | ||
65 | |||
66 | @@ -244,11 +253,13 @@ namespace Exiv2 { | ||
67 | |||
68 | /* Chunk with with lossless image data. */ | ||
69 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) { | ||
70 | + enforce(size >= 5, Exiv2::kerCorruptedMetadata); | ||
71 | if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) { | ||
72 | has_alpha = true; | ||
73 | } | ||
74 | } | ||
75 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) { | ||
76 | + enforce(size >= 5, Exiv2::kerCorruptedMetadata); | ||
77 | has_size = true; | ||
78 | byte size_buf_w[2]; | ||
79 | byte size_buf_h[3]; | ||
80 | @@ -276,11 +287,13 @@ namespace Exiv2 { | ||
81 | |||
82 | /* Chunk with animation frame. */ | ||
83 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) { | ||
84 | + enforce(size >= 6, Exiv2::kerCorruptedMetadata); | ||
85 | if ((payload.pData_[5] & 0x2) == 0x2) { | ||
86 | has_alpha = true; | ||
87 | } | ||
88 | } | ||
89 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) { | ||
90 | + enforce(size >= 12, Exiv2::kerCorruptedMetadata); | ||
91 | has_size = true; | ||
92 | byte size_buf[WEBP_TAG_SIZE]; | ||
93 | |||
94 | @@ -309,16 +322,22 @@ namespace Exiv2 { | ||
95 | |||
96 | io_->seek(12, BasicIo::beg); | ||
97 | while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { | ||
98 | - io_->read(chunkId.pData_, 4); | ||
99 | - io_->read(size_buff, 4); | ||
100 | + readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata); | ||
101 | + readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata); | ||
102 | + | ||
103 | + const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); | ||
104 | |||
105 | - long size = Exiv2::getULong(size_buff, littleEndian); | ||
106 | + // Check that `size_u32` is safe to cast to `long`. | ||
107 | + enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), | ||
108 | + Exiv2::kerCorruptedMetadata); | ||
109 | + const long size = static_cast<long>(size_u32); | ||
110 | |||
111 | DataBuf payload(size); | ||
112 | - io_->read(payload.pData_, size); | ||
113 | + readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata); | ||
114 | if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad | ||
115 | |||
116 | if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) { | ||
117 | + enforce(size >= 1, Exiv2::kerCorruptedMetadata); | ||
118 | if (has_icc){ | ||
119 | payload.pData_[0] |= WEBP_VP8X_ICC_BIT; | ||
120 | } else { | ||
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 1dc909eeb..fb8d12619 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | |||
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994 | |||
11 | inherit dos2unix | 11 | inherit dos2unix |
12 | SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ | 12 | SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ |
13 | file://CVE-2021-29457.patch \ | 13 | file://CVE-2021-29457.patch \ |
14 | file://CVE-2021-29458.patch" | 14 | file://CVE-2021-29458.patch \ |
15 | file://CVE-2021-29463.patch" | ||
15 | 16 | ||
16 | S = "${WORKDIR}/${BPN}-${PV}-Source" | 17 | S = "${WORKDIR}/${BPN}-${PV}-Source" |
17 | 18 | ||