libexif: fix CVE-2016-6328 and CVE-2018-20030

(From OE-Core rev: 037b544431076b94e85281c7deb527a44a600f5a) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-03-27 13:40:38 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-03-29 08:28:53 +0000
commit: 3d05a87df7361f4b315a9f05de3a86e318585b93 (patch)
tree: 024415331bd78d7e0451aa39f8a410bb0a0a7d06
parent: 74542f20f2f34ba2e23891f4a825a74361ebc5ad (diff)
download: poky-3d05a87df7361f4b315a9f05de3a86e318585b93.tar.gz
3 files changed, 182 insertions, 1 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
new file mode 100644
index 0000000000..a6f307439b
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2016-6328
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+                case EXIF_FORMAT_SHORT:
+                  {
+                        const unsigned char *data = entry->data;
+-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
+                        for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 2)
+                                       break;
+                                vs = exif_get_short (data, entry->order);
+                                snprintf (val+len, maxlen-len, "%i ", vs);
+                                len = strlen(val);
+                                data += 2;
+                               sizeleft -= 2;
+                        }
+                  }
+                  break;
+                case EXIF_FORMAT_LONG:
+                  {
+                        const unsigned char *data = entry->data;
+-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
+                        for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 4)
+                                       break;
+                                vl = exif_get_long (data, entry->order);
+                                snprintf (val+len, maxlen-len, "%li", (long int) vl);
+                                len = strlen(val);
+                                data += 4;
+                               sizeleft -= 4;
+                        }
+                  }
+                  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+                break;
+        }
+ 
+-       return (val);
+       return val;
+ }
diff --git a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
new file mode 100644
index 0000000000..76233e6dc9
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
@@ -0,0 +1,115 @@
+CVE: CVE-2018-20030
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: [PATCH] Improve deep recursion detection in
+ exif_data_load_data_content.
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags.  This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 67df4db..8d9897e 100644
+--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+ 
+#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -344,6 +345,20 @@ if (data->ifd[(i)]->count) {                               \
+        break;                                          \
+ }
+ 
+/*! Calculate the recursion cost added by one level of IFD loading.
+ *
+ * The work performed is related to the cost in the exponential relation
+ *   work=1.1**cost
+ */
+static unsigned int
+level_cost(unsigned int n)
+{
+    static const double log_1_1 = 0.09531017980432493;
+
+       /* Adding 0.1 protects against the case where n==1 */
+       return ceil(log(n + 0.1)/log_1_1);
+}
+
+ /*! Load data for an IFD.
+  *
+  * \param[in,out] data #ExifData
+@@ -351,13 +366,13 @@ if (data->ifd[(i)]->count) {                              \
+  * \param[in] d pointer to buffer containing raw IFD data
+  * \param[in] ds size of raw data in buffer at \c d
+  * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
+ * \param[in] recursion_cost factor indicating how expensive this recursive
+ * call could be
+  */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+                             const unsigned char *d,
+-                            unsigned int ds, unsigned int offset, unsigned int recursion_depth)
+                            unsigned int ds, unsigned int offset, unsigned int recursion_cost)
+ {
+        ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+        ExifShort n;
+@@ -372,9 +387,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+        if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+          return;
+ 
+-       if (recursion_depth > 30) {
+       if (recursion_cost > 170) {
+               /*
+                * recursion_cost is a logarithmic-scale indicator of how expensive this
+                * recursive call might end up being. It is an indicator of the depth of
+                * recursion as well as the potential for worst-case future recursive
+                * calls. Since it's difficult to tell ahead of time how often recursion
+                * will occur, this assumes the worst by assuming every tag could end up
+                * causing recursion.
+                * The value of 170 was chosen to limit typical EXIF structures to a
+                * recursive depth of about 6, but pathological ones (those with very
+                * many tags) to only 2.
+                */
+                exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-                         "Deep recursion detected!");
+                         "Deep/expensive recursion detected!");
+                return;
+        }
+ 
+@@ -416,15 +442,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+                        switch (tag) {
+                        case EXIF_TAG_EXIF_IFD_POINTER:
+                                CHECK_REC (EXIF_IFD_EXIF);
+-                               exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
+                               exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
+                                       recursion_cost + level_cost(n));
+                                break;
+                        case EXIF_TAG_GPS_INFO_IFD_POINTER:
+                                CHECK_REC (EXIF_IFD_GPS);
+-                               exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
+                               exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
+                                       recursion_cost + level_cost(n));
+                                break;
+                        case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+                                CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+-                               exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
+                               exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
+                                       recursion_cost + level_cost(n));
+                                break;
+                        case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+                                thumbnail_offset = o;
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index a6c9c647c8..d847beab18 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -5,7 +5,9 @@ LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
-           file://CVE-2017-7544.patch"
+           file://CVE-2017-7544.patch \
+           file://CVE-2016-6328.patch \
+           file://CVE-2018-20030.patch"
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
author	Ross Burton <ross.burton@intel.com>	2019-03-27 13:40:38 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-03-29 08:28:53 +0000
commit	3d05a87df7361f4b315a9f05de3a86e318585b93 (patch)
tree	024415331bd78d7e0451aa39f8a410bb0a0a7d06
parent	74542f20f2f34ba2e23891f4a825a74361ebc5ad (diff)
download	poky-3d05a87df7361f4b315a9f05de3a86e318585b93.tar.gz

diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch new file mode 100644 index 0000000000..a6f307439b --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
@@ -0,0 +1,64 @@
		1	CVE: CVE-2016-6328
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@intel.com>
		4
		5	From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
		6	From: Marcus Meissner <marcus@jet.franken.de>
		7	Date: Tue, 25 Jul 2017 23:44:44 +0200
		8	Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
		9	makernote entries.
		10
		11	This should fix:
		12	https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
		13	---
		14	libexif/pentax/mnote-pentax-entry.c \| 16 +++++++++++++---
		15	1 file changed, 13 insertions(+), 3 deletions(-)
		16
		17	diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
		18	index d03d159..ea0429a 100644
		19	--- a/libexif/pentax/mnote-pentax-entry.c
		20	+++ b/libexif/pentax/mnote-pentax-entry.c
		21	@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
		22	case EXIF_FORMAT_SHORT:
		23	{
		24	const unsigned char *data = entry->data;
		25	- size_t k, len = strlen(val);
		26	+ size_t k, len = strlen(val), sizeleft;
		27	+
		28	+ sizeleft = entry->size;
		29	for(k=0; k<entry->components; k++) {
		30	+ if (sizeleft < 2)
		31	+ break;
		32	vs = exif_get_short (data, entry->order);
		33	snprintf (val+len, maxlen-len, "%i ", vs);
		34	len = strlen(val);
		35	data += 2;
		36	+ sizeleft -= 2;
		37	}
		38	}
		39	break;
		40	case EXIF_FORMAT_LONG:
		41	{
		42	const unsigned char *data = entry->data;
		43	- size_t k, len = strlen(val);
		44	+ size_t k, len = strlen(val), sizeleft;
		45	+
		46	+ sizeleft = entry->size;
		47	for(k=0; k<entry->components; k++) {
		48	+ if (sizeleft < 4)
		49	+ break;
		50	vl = exif_get_long (data, entry->order);
		51	snprintf (val+len, maxlen-len, "%li", (long int) vl);
		52	len = strlen(val);
		53	data += 4;
		54	+ sizeleft -= 4;
		55	}
		56	}
		57	break;
		58	@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
		59	break;
		60	}
		61
		62	- return (val);
		63	+ return val;
		64	}


diff --git a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch new file mode 100644 index 0000000000..76233e6dc9 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
@@ -0,0 +1,115 @@
		1	CVE: CVE-2018-20030
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@intel.com>
		4
		5	From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
		6	From: Dan Fandrich <dan@coneharvesters.com>
		7	Date: Fri, 12 Oct 2018 16:01:45 +0200
		8	Subject: [PATCH] Improve deep recursion detection in
		9	exif_data_load_data_content.
		10
		11	The existing detection was still vulnerable to pathological cases
		12	causing DoS by wasting CPU. The new algorithm takes the number of tags
		13	into account to make it harder to abuse by cases using shallow recursion
		14	but with a very large number of tags. This improves on commit 5d28011c
		15	which wasn't sufficient to counter this kind of case.
		16
		17	The limitation in the previous fix was discovered by Laurent Delosieres,
		18	Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
		19	the identifier CVE-2018-20030.
		20
		21	diff --git a/libexif/exif-data.c b/libexif/exif-data.c
		22	index 67df4db..8d9897e 100644
		23	--- a/libexif/exif-data.c
		24	+++ b/libexif/exif-data.c
		25	@@ -35,6 +35,7 @@
		26	#include <libexif/olympus/exif-mnote-data-olympus.h>
		27	#include <libexif/pentax/exif-mnote-data-pentax.h>
		28
		29	+#include <math.h>
		30	#include <stdlib.h>
		31	#include <stdio.h>
		32	#include <string.h>
		33	@@ -344,6 +345,20 @@ if (data->ifd[(i)]->count) { \
		34	break; \
		35	}
		36
		37	+/*! Calculate the recursion cost added by one level of IFD loading.
		38	+ *
		39	+ * The work performed is related to the cost in the exponential relation
		40	+ * work=1.1**cost
		41	+ */
		42	+static unsigned int
		43	+level_cost(unsigned int n)
		44	+{
		45	+ static const double log_1_1 = 0.09531017980432493;
		46	+
		47	+ /* Adding 0.1 protects against the case where n==1 */
		48	+ return ceil(log(n + 0.1)/log_1_1);
		49	+}
		50	+
		51	/*! Load data for an IFD.
		52	*
		53	* \param[in,out] data #ExifData
		54	@@ -351,13 +366,13 @@ if (data->ifd[(i)]->count) { \
		55	* \param[in] d pointer to buffer containing raw IFD data
		56	* \param[in] ds size of raw data in buffer at \c d
		57	* \param[in] offset offset into buffer at \c d at which IFD starts
		58	- * \param[in] recursion_depth number of times this function has been
		59	- * recursively called without returning
		60	+ * \param[in] recursion_cost factor indicating how expensive this recursive
		61	+ * call could be
		62	*/
		63	static void
		64	exif_data_load_data_content (ExifData *data, ExifIfd ifd,
		65	const unsigned char *d,
		66	- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
		67	+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
		68	{
		69	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
		70	ExifShort n;
		71	@@ -372,9 +387,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
		72	if ((((int)ifd) < 0) \|\| ( ((int)ifd) >= EXIF_IFD_COUNT))
		73	return;
		74
		75	- if (recursion_depth > 30) {
		76	+ if (recursion_cost > 170) {
		77	+ /*
		78	+ * recursion_cost is a logarithmic-scale indicator of how expensive this
		79	+ * recursive call might end up being. It is an indicator of the depth of
		80	+ * recursion as well as the potential for worst-case future recursive
		81	+ * calls. Since it's difficult to tell ahead of time how often recursion
		82	+ * will occur, this assumes the worst by assuming every tag could end up
		83	+ * causing recursion.
		84	+ * The value of 170 was chosen to limit typical EXIF structures to a
		85	+ * recursive depth of about 6, but pathological ones (those with very
		86	+ * many tags) to only 2.
		87	+ */
		88	exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
		89	- "Deep recursion detected!");
		90	+ "Deep/expensive recursion detected!");
		91	return;
		92	}
		93
		94	@@ -416,15 +442,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
		95	switch (tag) {
		96	case EXIF_TAG_EXIF_IFD_POINTER:
		97	CHECK_REC (EXIF_IFD_EXIF);
		98	- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
		99	+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
		100	+ recursion_cost + level_cost(n));
		101	break;
		102	case EXIF_TAG_GPS_INFO_IFD_POINTER:
		103	CHECK_REC (EXIF_IFD_GPS);
		104	- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
		105	+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
		106	+ recursion_cost + level_cost(n));
		107	break;
		108	case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
		109	CHECK_REC (EXIF_IFD_INTEROPERABILITY);
		110	- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
		111	+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
		112	+ recursion_cost + level_cost(n));
		113	break;
		114	case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
		115	thumbnail_offset = o;


diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb index a6c9c647c8..d847beab18 100644 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -5,7 +5,9 @@ LICENSE = "LGPLv2.1"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"	5	LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
6		6
7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \	7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
8	file://CVE-2017-7544.patch"	8	file://CVE-2017-7544.patch \
		9	file://CVE-2016-6328.patch \
		10	file://CVE-2018-20030.patch"
9		11
10	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"	12	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
11	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"	13	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"