diff options
-rw-r--r-- | meta/recipes-support/libexif/libexif/CVE-2016-6328.patch | 64 | ||||
-rw-r--r-- | meta/recipes-support/libexif/libexif/CVE-2018-20030.patch | 115 | ||||
-rw-r--r-- | meta/recipes-support/libexif/libexif_0.6.21.bb | 4 |
3 files changed, 182 insertions, 1 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch new file mode 100644 index 0000000000..a6f307439b --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | CVE: CVE-2016-6328 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 | ||
6 | From: Marcus Meissner <marcus@jet.franken.de> | ||
7 | Date: Tue, 25 Jul 2017 23:44:44 +0200 | ||
8 | Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax | ||
9 | makernote entries. | ||
10 | |||
11 | This should fix: | ||
12 | https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 | ||
13 | --- | ||
14 | libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- | ||
15 | 1 file changed, 13 insertions(+), 3 deletions(-) | ||
16 | |||
17 | diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c | ||
18 | index d03d159..ea0429a 100644 | ||
19 | --- a/libexif/pentax/mnote-pentax-entry.c | ||
20 | +++ b/libexif/pentax/mnote-pentax-entry.c | ||
21 | @@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, | ||
22 | case EXIF_FORMAT_SHORT: | ||
23 | { | ||
24 | const unsigned char *data = entry->data; | ||
25 | - size_t k, len = strlen(val); | ||
26 | + size_t k, len = strlen(val), sizeleft; | ||
27 | + | ||
28 | + sizeleft = entry->size; | ||
29 | for(k=0; k<entry->components; k++) { | ||
30 | + if (sizeleft < 2) | ||
31 | + break; | ||
32 | vs = exif_get_short (data, entry->order); | ||
33 | snprintf (val+len, maxlen-len, "%i ", vs); | ||
34 | len = strlen(val); | ||
35 | data += 2; | ||
36 | + sizeleft -= 2; | ||
37 | } | ||
38 | } | ||
39 | break; | ||
40 | case EXIF_FORMAT_LONG: | ||
41 | { | ||
42 | const unsigned char *data = entry->data; | ||
43 | - size_t k, len = strlen(val); | ||
44 | + size_t k, len = strlen(val), sizeleft; | ||
45 | + | ||
46 | + sizeleft = entry->size; | ||
47 | for(k=0; k<entry->components; k++) { | ||
48 | + if (sizeleft < 4) | ||
49 | + break; | ||
50 | vl = exif_get_long (data, entry->order); | ||
51 | snprintf (val+len, maxlen-len, "%li", (long int) vl); | ||
52 | len = strlen(val); | ||
53 | data += 4; | ||
54 | + sizeleft -= 4; | ||
55 | } | ||
56 | } | ||
57 | break; | ||
58 | @@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, | ||
59 | break; | ||
60 | } | ||
61 | |||
62 | - return (val); | ||
63 | + return val; | ||
64 | } | ||
diff --git a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch new file mode 100644 index 0000000000..76233e6dc9 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch | |||
@@ -0,0 +1,115 @@ | |||
1 | CVE: CVE-2018-20030 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 | ||
6 | From: Dan Fandrich <dan@coneharvesters.com> | ||
7 | Date: Fri, 12 Oct 2018 16:01:45 +0200 | ||
8 | Subject: [PATCH] Improve deep recursion detection in | ||
9 | exif_data_load_data_content. | ||
10 | |||
11 | The existing detection was still vulnerable to pathological cases | ||
12 | causing DoS by wasting CPU. The new algorithm takes the number of tags | ||
13 | into account to make it harder to abuse by cases using shallow recursion | ||
14 | but with a very large number of tags. This improves on commit 5d28011c | ||
15 | which wasn't sufficient to counter this kind of case. | ||
16 | |||
17 | The limitation in the previous fix was discovered by Laurent Delosieres, | ||
18 | Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned | ||
19 | the identifier CVE-2018-20030. | ||
20 | |||
21 | diff --git a/libexif/exif-data.c b/libexif/exif-data.c | ||
22 | index 67df4db..8d9897e 100644 | ||
23 | --- a/libexif/exif-data.c | ||
24 | +++ b/libexif/exif-data.c | ||
25 | @@ -35,6 +35,7 @@ | ||
26 | #include <libexif/olympus/exif-mnote-data-olympus.h> | ||
27 | #include <libexif/pentax/exif-mnote-data-pentax.h> | ||
28 | |||
29 | +#include <math.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <stdio.h> | ||
32 | #include <string.h> | ||
33 | @@ -344,6 +345,20 @@ if (data->ifd[(i)]->count) { \ | ||
34 | break; \ | ||
35 | } | ||
36 | |||
37 | +/*! Calculate the recursion cost added by one level of IFD loading. | ||
38 | + * | ||
39 | + * The work performed is related to the cost in the exponential relation | ||
40 | + * work=1.1**cost | ||
41 | + */ | ||
42 | +static unsigned int | ||
43 | +level_cost(unsigned int n) | ||
44 | +{ | ||
45 | + static const double log_1_1 = 0.09531017980432493; | ||
46 | + | ||
47 | + /* Adding 0.1 protects against the case where n==1 */ | ||
48 | + return ceil(log(n + 0.1)/log_1_1); | ||
49 | +} | ||
50 | + | ||
51 | /*! Load data for an IFD. | ||
52 | * | ||
53 | * \param[in,out] data #ExifData | ||
54 | @@ -351,13 +366,13 @@ if (data->ifd[(i)]->count) { \ | ||
55 | * \param[in] d pointer to buffer containing raw IFD data | ||
56 | * \param[in] ds size of raw data in buffer at \c d | ||
57 | * \param[in] offset offset into buffer at \c d at which IFD starts | ||
58 | - * \param[in] recursion_depth number of times this function has been | ||
59 | - * recursively called without returning | ||
60 | + * \param[in] recursion_cost factor indicating how expensive this recursive | ||
61 | + * call could be | ||
62 | */ | ||
63 | static void | ||
64 | exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
65 | const unsigned char *d, | ||
66 | - unsigned int ds, unsigned int offset, unsigned int recursion_depth) | ||
67 | + unsigned int ds, unsigned int offset, unsigned int recursion_cost) | ||
68 | { | ||
69 | ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; | ||
70 | ExifShort n; | ||
71 | @@ -372,9 +387,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
72 | if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) | ||
73 | return; | ||
74 | |||
75 | - if (recursion_depth > 30) { | ||
76 | + if (recursion_cost > 170) { | ||
77 | + /* | ||
78 | + * recursion_cost is a logarithmic-scale indicator of how expensive this | ||
79 | + * recursive call might end up being. It is an indicator of the depth of | ||
80 | + * recursion as well as the potential for worst-case future recursive | ||
81 | + * calls. Since it's difficult to tell ahead of time how often recursion | ||
82 | + * will occur, this assumes the worst by assuming every tag could end up | ||
83 | + * causing recursion. | ||
84 | + * The value of 170 was chosen to limit typical EXIF structures to a | ||
85 | + * recursive depth of about 6, but pathological ones (those with very | ||
86 | + * many tags) to only 2. | ||
87 | + */ | ||
88 | exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", | ||
89 | - "Deep recursion detected!"); | ||
90 | + "Deep/expensive recursion detected!"); | ||
91 | return; | ||
92 | } | ||
93 | |||
94 | @@ -416,15 +442,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, | ||
95 | switch (tag) { | ||
96 | case EXIF_TAG_EXIF_IFD_POINTER: | ||
97 | CHECK_REC (EXIF_IFD_EXIF); | ||
98 | - exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); | ||
99 | + exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, | ||
100 | + recursion_cost + level_cost(n)); | ||
101 | break; | ||
102 | case EXIF_TAG_GPS_INFO_IFD_POINTER: | ||
103 | CHECK_REC (EXIF_IFD_GPS); | ||
104 | - exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); | ||
105 | + exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, | ||
106 | + recursion_cost + level_cost(n)); | ||
107 | break; | ||
108 | case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: | ||
109 | CHECK_REC (EXIF_IFD_INTEROPERABILITY); | ||
110 | - exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); | ||
111 | + exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, | ||
112 | + recursion_cost + level_cost(n)); | ||
113 | break; | ||
114 | case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: | ||
115 | thumbnail_offset = o; | ||
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb index b550a1125c..4cb7e6b8dd 100644 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/meta/recipes-support/libexif/libexif_0.6.21.bb | |||
@@ -5,7 +5,9 @@ LICENSE = "LGPLv2.1" | |||
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" |
6 | 6 | ||
7 | SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ | 7 | SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ |
8 | file://CVE-2017-7544.patch" | 8 | file://CVE-2017-7544.patch \ |
9 | file://CVE-2016-6328.patch \ | ||
10 | file://CVE-2018-20030.patch" | ||
9 | 11 | ||
10 | SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" | 12 | SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" |
11 | SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" | 13 | SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" |