diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2020-05-31 17:52:32 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-06-04 13:27:30 +0100 |
commit | 83ba71a3057dba1d8ac2f9c15663c9ba9ad833f4 (patch) | |
tree | 31f302cc5d55041dd3c280c51e5cec8d6c140032 /meta/recipes-support | |
parent | f13961a9d1f76769cad27cbebe981b5e7ec41c94 (diff) | |
download | poky-83ba71a3057dba1d8ac2f9c15663c9ba9ad833f4.tar.gz |
libexif: update to 0.6.22
(From OE-Core rev: 76e8c645cb2568c2dfa014af0eeac36d8f8b60ff)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
5 files changed, 19 insertions, 236 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch deleted file mode 100644 index a6f307439b..0000000000 --- a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | CVE: CVE-2016-6328 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 | ||
6 | From: Marcus Meissner <marcus@jet.franken.de> | ||
7 | Date: Tue, 25 Jul 2017 23:44:44 +0200 | ||
8 | Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax | ||
9 | makernote entries. | ||
10 | |||
11 | This should fix: | ||
12 | https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 | ||
13 | --- | ||
14 | libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- | ||
15 | 1 file changed, 13 insertions(+), 3 deletions(-) | ||
16 | |||
17 | diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c | ||
18 | index d03d159..ea0429a 100644 | ||
19 | --- a/libexif/pentax/mnote-pentax-entry.c | ||
20 | +++ b/libexif/pentax/mnote-pentax-entry.c | ||
21 | @@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, | ||
22 | case EXIF_FORMAT_SHORT: | ||
23 | { | ||
24 | const unsigned char *data = entry->data; | ||
25 | - size_t k, len = strlen(val); | ||
26 | + size_t k, len = strlen(val), sizeleft; | ||
27 | + | ||
28 | + sizeleft = entry->size; | ||
29 | for(k=0; k<entry->components; k++) { | ||
30 | + if (sizeleft < 2) | ||
31 | + break; | ||
32 | vs = exif_get_short (data, entry->order); | ||
33 | snprintf (val+len, maxlen-len, "%i ", vs); | ||
34 | len = strlen(val); | ||
35 | data += 2; | ||
36 | + sizeleft -= 2; | ||
37 | } | ||
38 | } | ||
39 | break; | ||
40 | case EXIF_FORMAT_LONG: | ||
41 | { | ||
42 | const unsigned char *data = entry->data; | ||
43 | - size_t k, len = strlen(val); | ||
44 | + size_t k, len = strlen(val), sizeleft; | ||
45 | + | ||
46 | + sizeleft = entry->size; | ||
47 | for(k=0; k<entry->components; k++) { | ||
48 | + if (sizeleft < 4) | ||
49 | + break; | ||
50 | vl = exif_get_long (data, entry->order); | ||
51 | snprintf (val+len, maxlen-len, "%li", (long int) vl); | ||
52 | len = strlen(val); | ||
53 | data += 4; | ||
54 | + sizeleft -= 4; | ||
55 | } | ||
56 | } | ||
57 | break; | ||
58 | @@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, | ||
59 | break; | ||
60 | } | ||
61 | |||
62 | - return (val); | ||
63 | + return val; | ||
64 | } | ||
diff --git a/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch deleted file mode 100644 index e49481ff84..0000000000 --- a/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Tue, 28 Aug 2018 15:12:10 +0800 | ||
4 | Subject: [PATCH] On saving makernotes, make sure the makernote container tags | ||
5 | has a type with 1 byte components. | ||
6 | |||
7 | Fixes (at least): | ||
8 | https://sourceforge.net/p/libexif/bugs/130 | ||
9 | https://sourceforge.net/p/libexif/bugs/129 | ||
10 | |||
11 | Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ | ||
12 | c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd] | ||
13 | |||
14 | CVE: CVE-2017-7544 | ||
15 | |||
16 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
17 | --- | ||
18 | libexif/exif-data.c | 6 ++++++ | ||
19 | 1 file changed, 6 insertions(+) | ||
20 | |||
21 | diff --git a/libexif/exif-data.c b/libexif/exif-data.c | ||
22 | index 67df4db..6bf89eb 100644 | ||
23 | --- a/libexif/exif-data.c | ||
24 | +++ b/libexif/exif-data.c | ||
25 | @@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, | ||
26 | exif_mnote_data_set_offset (data->priv->md, *ds - 6); | ||
27 | exif_mnote_data_save (data->priv->md, &e->data, &e->size); | ||
28 | e->components = e->size; | ||
29 | + if (exif_format_get_size (e->format) != 1) { | ||
30 | + /* e->format is taken from input code, | ||
31 | + * but we need to make sure it is a 1 byte | ||
32 | + * entity due to the multiplication below. */ | ||
33 | + e->format = EXIF_FORMAT_UNDEFINED; | ||
34 | + } | ||
35 | } | ||
36 | } | ||
37 | |||
38 | -- | ||
39 | 2.7.4 | ||
40 | |||
diff --git a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch deleted file mode 100644 index 76233e6dc9..0000000000 --- a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch +++ /dev/null | |||
@@ -1,115 +0,0 @@ | |||
1 | CVE: CVE-2018-20030 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 | ||
6 | From: Dan Fandrich <dan@coneharvesters.com> | ||
7 | Date: Fri, 12 Oct 2018 16:01:45 +0200 | ||
8 | Subject: [PATCH] Improve deep recursion detection in | ||
9 | exif_data_load_data_content. | ||
10 | |||
11 | The existing detection was still vulnerable to pathological cases | ||
12 | causing DoS by wasting CPU. The new algorithm takes the number of tags | ||
13 | into account to make it harder to abuse by cases using shallow recursion | ||
14 | but with a very large number of tags. This improves on commit 5d28011c | ||
15 | which wasn't sufficient to counter this kind of case. | ||
16 | |||
17 | The limitation in the previous fix was discovered by Laurent Delosieres, | ||
18 | Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned | ||
19 | the identifier CVE-2018-20030. | ||
20 | |||
21 | diff --git a/libexif/exif-data.c b/libexif/exif-data.c | ||
22 | index 67df4db..8d9897e 100644 | ||
23 | --- a/libexif/exif-data.c | ||
24 | +++ b/libexif/exif-data.c | ||
25 | @@ -35,6 +35,7 @@ | ||
26 | #include <libexif/olympus/exif-mnote-data-olympus.h> | ||
27 | #include <libexif/pentax/exif-mnote-data-pentax.h> | ||
28 | |||
29 | +#include <math.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <stdio.h> | ||
32 | #include <string.h> | ||
33 | @@ -344,6 +345,20 @@ if (data->ifd[(i)]->count) { \ | ||
34 | break; \ | ||
35 | } | ||
36 | |||
37 | +/*! Calculate the recursion cost added by one level of IFD loading. | ||
38 | + * | ||
39 | + * The work performed is related to the cost in the exponential relation | ||
40 | + * work=1.1**cost | ||
41 | + */ | ||
42 | +static unsigned int | ||
43 | +level_cost(unsigned int n) | ||
44 | +{ | ||
45 | + static const double log_1_1 = 0.09531017980432493; | ||
46 | + | ||
47 | + /* Adding 0.1 protects against the case where n==1 */ | ||
48 | + return ceil(log(n + 0.1)/log_1_1); | ||
49 | +} | ||
50 | + | ||
51 | /*! Load data for an IFD. | ||
52 | * | ||
53 | * \param[in,out] data #ExifData | ||
54 | @@ -351,13 +366,13 @@ if (data->ifd[(i)]->count) { \ | ||
55 | * \param[in] d pointer to buffer containing raw IFD data | ||
56 | * \param[in] ds size of raw data in buffer at \c d | ||
57 | * \param[in] offset offset into buffer at \c d at which IFD starts | ||
58 | - * \param[in] recursion_depth number of times this function has been | ||
59 | - * recursively called without returning | ||
60 | + * \param[in] recursion_cost factor indicating how expensive this recursive | ||
61 | + * call could be | ||
62 | */ | ||
63 | static void | ||
64 | exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
65 | const unsigned char *d, | ||
66 | - unsigned int ds, unsigned int offset, unsigned int recursion_depth) | ||
67 | + unsigned int ds, unsigned int offset, unsigned int recursion_cost) | ||
68 | { | ||
69 | ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; | ||
70 | ExifShort n; | ||
71 | @@ -372,9 +387,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
72 | if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) | ||
73 | return; | ||
74 | |||
75 | - if (recursion_depth > 30) { | ||
76 | + if (recursion_cost > 170) { | ||
77 | + /* | ||
78 | + * recursion_cost is a logarithmic-scale indicator of how expensive this | ||
79 | + * recursive call might end up being. It is an indicator of the depth of | ||
80 | + * recursion as well as the potential for worst-case future recursive | ||
81 | + * calls. Since it's difficult to tell ahead of time how often recursion | ||
82 | + * will occur, this assumes the worst by assuming every tag could end up | ||
83 | + * causing recursion. | ||
84 | + * The value of 170 was chosen to limit typical EXIF structures to a | ||
85 | + * recursive depth of about 6, but pathological ones (those with very | ||
86 | + * many tags) to only 2. | ||
87 | + */ | ||
88 | exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", | ||
89 | - "Deep recursion detected!"); | ||
90 | + "Deep/expensive recursion detected!"); | ||
91 | return; | ||
92 | } | ||
93 | |||
94 | @@ -416,15 +442,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
95 | switch (tag) { | ||
96 | case EXIF_TAG_EXIF_IFD_POINTER: | ||
97 | CHECK_REC (EXIF_IFD_EXIF); | ||
98 | - exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); | ||
99 | + exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, | ||
100 | + recursion_cost + level_cost(n)); | ||
101 | break; | ||
102 | case EXIF_TAG_GPS_INFO_IFD_POINTER: | ||
103 | CHECK_REC (EXIF_IFD_GPS); | ||
104 | - exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); | ||
105 | + exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, | ||
106 | + recursion_cost + level_cost(n)); | ||
107 | break; | ||
108 | case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: | ||
109 | CHECK_REC (EXIF_IFD_INTEROPERABILITY); | ||
110 | - exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); | ||
111 | + exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, | ||
112 | + recursion_cost + level_cost(n)); | ||
113 | break; | ||
114 | case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: | ||
115 | thumbnail_offset = o; | ||
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb deleted file mode 100644 index d847beab18..0000000000 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ /dev/null | |||
@@ -1,17 +0,0 @@ | |||
1 | SUMMARY = "Library for reading extended image information (EXIF) from JPEG files" | ||
2 | HOMEPAGE = "http://sourceforge.net/projects/libexif" | ||
3 | SECTION = "libs" | ||
4 | LICENSE = "LGPLv2.1" | ||
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" | ||
6 | |||
7 | SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ | ||
8 | file://CVE-2017-7544.patch \ | ||
9 | file://CVE-2016-6328.patch \ | ||
10 | file://CVE-2018-20030.patch" | ||
11 | |||
12 | SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" | ||
13 | SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" | ||
14 | |||
15 | inherit autotools gettext | ||
16 | |||
17 | EXTRA_OECONF += "--disable-docs" | ||
diff --git a/meta/recipes-support/libexif/libexif_0.6.22.bb b/meta/recipes-support/libexif/libexif_0.6.22.bb new file mode 100644 index 0000000000..a520d5c9f9 --- /dev/null +++ b/meta/recipes-support/libexif/libexif_0.6.22.bb | |||
@@ -0,0 +1,19 @@ | |||
1 | SUMMARY = "Library for reading extended image information (EXIF) from JPEG files" | ||
2 | HOMEPAGE = "https://libexif.github.io/" | ||
3 | SECTION = "libs" | ||
4 | LICENSE = "LGPLv2.1" | ||
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" | ||
6 | |||
7 | def version_underscore(v): | ||
8 | return "_".join(v.split(".")) | ||
9 | |||
10 | SRC_URI = "https://github.com/libexif/libexif/releases/download/libexif-${@version_underscore("${PV}")}-release/libexif-${PV}.tar.xz \ | ||
11 | " | ||
12 | |||
13 | SRC_URI[sha256sum] = "5048f1c8fc509cc636c2f97f4b40c293338b6041a5652082d5ee2cf54b530c56" | ||
14 | |||
15 | UPSTREAM_CHECK_URI = "https://github.com/libexif/libexif/releases/" | ||
16 | |||
17 | inherit autotools gettext | ||
18 | |||
19 | EXTRA_OECONF += "--disable-docs" | ||