libexif: fix CVE-2020-13114

(From OE-Core rev: 2e497029ee00babbc50f3c1d99580230bc46155c) (From OE-Core rev: 221e42c20148bb57986dfa862b352b9264694003) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-07-09 00:07:49 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-08-04 23:17:37 +0100
commit: ea0d41cdfb46b683b3421fec3733e83dbd05a6ab (patch)
tree: 72e306719e1af949a4be8a0dde3e1f3f23adb9f6
parent: 46809da0bb0221ab96bde218a9398d58da38a4c0 (diff)
download: poky-ea0d41cdfb46b683b3421fec3733e83dbd05a6ab.tar.gz
2 files changed, 76 insertions, 1 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+ subtags.
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks.  This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+Patch from Google.
+CVE-2020-13114
+Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
+/* Total size limit to prevent abuse by DoS */
+#define FAILSAFE_SIZE_MAX 1000000L
+
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+        ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+        ExifShort c;
+        size_t i, tcount, o, datao;
+       long failsafe_size = 0;
+ 
+        if (!n || !buf || !buf_size) {
+                exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+                        memcpy (n->entries[tcount].data, buf + dataofs, s);
+                }
+ 
+               /* Track the size of decoded tag data. A malicious file could
+                * be crafted to cause extremely large values here without
+                * tripping any buffer range checks.  This is especially bad
+                * with the libexif representation of Canon MakerNotes because
+                * some arrays are turned into individual tags that the
+                * application must loop around. */
+               failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
+
+               if (failsafe_size > FAILSAFE_SIZE_MAX) {
+                       /* Abort if the total size of the data in the tags extraordinarily large, */
+                       exif_mem_free (ne->mem, n->entries[tcount].data);
+                       exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+                                         "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
+                                         failsafe_size, FAILSAFE_SIZE_MAX);
+                       break;
+               }
+
+                /* Tag was successfully parsed */
+                ++tcount;
+        }
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847beab18..3f6fa32b25 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
           file://CVE-2017-7544.patch \
           file://CVE-2016-6328.patch \
-           file://CVE-2018-20030.patch"
+           file://CVE-2018-20030.patch \
+           file://CVE-2020-13114.patch \
+"
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-07-09 00:07:49 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-08-04 23:17:37 +0100
commit	ea0d41cdfb46b683b3421fec3733e83dbd05a6ab (patch)
tree	72e306719e1af949a4be8a0dde3e1f3f23adb9f6
parent	46809da0bb0221ab96bde218a9398d58da38a4c0 (diff)
download	poky-ea0d41cdfb46b683b3421fec3733e83dbd05a6ab.tar.gz

diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 0000000000..06b8b46c21 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
		1	From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
		2	From: Dan Fandrich <dan@coneharvesters.com>
		3	Date: Sat, 16 May 2020 19:32:30 +0200
		4	Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
		5
		6	subtags.
		7
		8	A malicious file could be crafted to cause extremely large values in some
		9	tags without tripping any buffer range checks. This is bad with the libexif
		10	representation of Canon MakerNotes because some arrays are turned into
		11	individual tags that the application must loop around.
		12
		13	The largest value I've seen for failsafe_size in a (very small) sample of valid
		14	Canon files is <5000. The limit is set two orders of magnitude larger to avoid
		15	tripping up falsely in case some models use much larger values.
		16
		17	Patch from Google.
		18
		19	CVE-2020-13114
		20
		21	Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
		22	CVE: CVE-2020-13114
		23	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		24	---
		25	libexif/canon/exif-mnote-data-canon.c \| 21 +++++++++++++++++++++
		26	1 file changed, 21 insertions(+)
		27
		28	diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
		29	index eb53598..72fd7a3 100644
		30	--- a/libexif/canon/exif-mnote-data-canon.c
		31	+++ b/libexif/canon/exif-mnote-data-canon.c
		32	@@ -32,6 +32,9 @@
		33
		34	#define DEBUG
		35
		36	+/* Total size limit to prevent abuse by DoS */
		37	+#define FAILSAFE_SIZE_MAX 1000000L
		38	+
		39	static void
		40	exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
		41	{
		42	@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
		43	ExifMnoteDataCanon n = (ExifMnoteDataCanon ) ne;
		44	ExifShort c;
		45	size_t i, tcount, o, datao;
		46	+ long failsafe_size = 0;
		47
		48	if (!n \|\| !buf \|\| !buf_size) {
		49	exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
		50	@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
		51	memcpy (n->entries[tcount].data, buf + dataofs, s);
		52	}
		53
		54	+ /* Track the size of decoded tag data. A malicious file could
		55	+ * be crafted to cause extremely large values here without
		56	+ * tripping any buffer range checks. This is especially bad
		57	+ * with the libexif representation of Canon MakerNotes because
		58	+ * some arrays are turned into individual tags that the
		59	+ * application must loop around. */
		60	+ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
		61	+
		62	+ if (failsafe_size > FAILSAFE_SIZE_MAX) {
		63	+ /* Abort if the total size of the data in the tags extraordinarily large, */
		64	+ exif_mem_free (ne->mem, n->entries[tcount].data);
		65	+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
		66	+ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
		67	+ failsafe_size, FAILSAFE_SIZE_MAX);
		68	+ break;
		69	+ }
		70	+
		71	/* Tag was successfully parsed */
		72	++tcount;
		73	}


diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb index d847beab18..3f6fa32b25 100644 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \	7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
8	file://CVE-2017-7544.patch \	8	file://CVE-2017-7544.patch \
9	file://CVE-2016-6328.patch \	9	file://CVE-2016-6328.patch \
10	file://CVE-2018-20030.patch"	10	file://CVE-2018-20030.patch \
		11	file://CVE-2020-13114.patch \
		12	"
11		13
12	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"	14	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
13	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"	15	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"