summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/libexif/libexif/CVE-2016-6328.patch64
-rw-r--r--meta/recipes-support/libexif/libexif/CVE-2018-20030.patch115
-rw-r--r--meta/recipes-support/libexif/libexif_0.6.21.bb4
3 files changed, 182 insertions, 1 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
new file mode 100644
index 0000000000..a6f307439b
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
@@ -0,0 +1,64 @@
1CVE: CVE-2016-6328
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
6From: Marcus Meissner <marcus@jet.franken.de>
7Date: Tue, 25 Jul 2017 23:44:44 +0200
8Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
9 makernote entries.
10
11This should fix:
12https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
13---
14 libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
15 1 file changed, 13 insertions(+), 3 deletions(-)
16
17diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
18index d03d159..ea0429a 100644
19--- a/libexif/pentax/mnote-pentax-entry.c
20+++ b/libexif/pentax/mnote-pentax-entry.c
21@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
22 case EXIF_FORMAT_SHORT:
23 {
24 const unsigned char *data = entry->data;
25- size_t k, len = strlen(val);
26+ size_t k, len = strlen(val), sizeleft;
27+
28+ sizeleft = entry->size;
29 for(k=0; k<entry->components; k++) {
30+ if (sizeleft < 2)
31+ break;
32 vs = exif_get_short (data, entry->order);
33 snprintf (val+len, maxlen-len, "%i ", vs);
34 len = strlen(val);
35 data += 2;
36+ sizeleft -= 2;
37 }
38 }
39 break;
40 case EXIF_FORMAT_LONG:
41 {
42 const unsigned char *data = entry->data;
43- size_t k, len = strlen(val);
44+ size_t k, len = strlen(val), sizeleft;
45+
46+ sizeleft = entry->size;
47 for(k=0; k<entry->components; k++) {
48+ if (sizeleft < 4)
49+ break;
50 vl = exif_get_long (data, entry->order);
51 snprintf (val+len, maxlen-len, "%li", (long int) vl);
52 len = strlen(val);
53 data += 4;
54+ sizeleft -= 4;
55 }
56 }
57 break;
58@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
59 break;
60 }
61
62- return (val);
63+ return val;
64 }
diff --git a/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
new file mode 100644
index 0000000000..76233e6dc9
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
@@ -0,0 +1,115 @@
1CVE: CVE-2018-20030
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
6From: Dan Fandrich <dan@coneharvesters.com>
7Date: Fri, 12 Oct 2018 16:01:45 +0200
8Subject: [PATCH] Improve deep recursion detection in
9 exif_data_load_data_content.
10
11The existing detection was still vulnerable to pathological cases
12causing DoS by wasting CPU. The new algorithm takes the number of tags
13into account to make it harder to abuse by cases using shallow recursion
14but with a very large number of tags. This improves on commit 5d28011c
15which wasn't sufficient to counter this kind of case.
16
17The limitation in the previous fix was discovered by Laurent Delosieres,
18Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
19the identifier CVE-2018-20030.
20
21diff --git a/libexif/exif-data.c b/libexif/exif-data.c
22index 67df4db..8d9897e 100644
23--- a/libexif/exif-data.c
24+++ b/libexif/exif-data.c
25@@ -35,6 +35,7 @@
26 #include <libexif/olympus/exif-mnote-data-olympus.h>
27 #include <libexif/pentax/exif-mnote-data-pentax.h>
28
29+#include <math.h>
30 #include <stdlib.h>
31 #include <stdio.h>
32 #include <string.h>
33@@ -344,6 +345,20 @@ if (data->ifd[(i)]->count) { \
34 break; \
35 }
36
37+/*! Calculate the recursion cost added by one level of IFD loading.
38+ *
39+ * The work performed is related to the cost in the exponential relation
40+ * work=1.1**cost
41+ */
42+static unsigned int
43+level_cost(unsigned int n)
44+{
45+ static const double log_1_1 = 0.09531017980432493;
46+
47+ /* Adding 0.1 protects against the case where n==1 */
48+ return ceil(log(n + 0.1)/log_1_1);
49+}
50+
51 /*! Load data for an IFD.
52 *
53 * \param[in,out] data #ExifData
54@@ -351,13 +366,13 @@ if (data->ifd[(i)]->count) { \
55 * \param[in] d pointer to buffer containing raw IFD data
56 * \param[in] ds size of raw data in buffer at \c d
57 * \param[in] offset offset into buffer at \c d at which IFD starts
58- * \param[in] recursion_depth number of times this function has been
59- * recursively called without returning
60+ * \param[in] recursion_cost factor indicating how expensive this recursive
61+ * call could be
62 */
63 static void
64 exif_data_load_data_content (ExifData *data, ExifIfd ifd,
65 const unsigned char *d,
66- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
67+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
68 {
69 ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
70 ExifShort n;
71@@ -372,9 +387,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
72 if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
73 return;
74
75- if (recursion_depth > 30) {
76+ if (recursion_cost > 170) {
77+ /*
78+ * recursion_cost is a logarithmic-scale indicator of how expensive this
79+ * recursive call might end up being. It is an indicator of the depth of
80+ * recursion as well as the potential for worst-case future recursive
81+ * calls. Since it's difficult to tell ahead of time how often recursion
82+ * will occur, this assumes the worst by assuming every tag could end up
83+ * causing recursion.
84+ * The value of 170 was chosen to limit typical EXIF structures to a
85+ * recursive depth of about 6, but pathological ones (those with very
86+ * many tags) to only 2.
87+ */
88 exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
89- "Deep recursion detected!");
90+ "Deep/expensive recursion detected!");
91 return;
92 }
93
94@@ -416,15 +442,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
95 switch (tag) {
96 case EXIF_TAG_EXIF_IFD_POINTER:
97 CHECK_REC (EXIF_IFD_EXIF);
98- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
99+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
100+ recursion_cost + level_cost(n));
101 break;
102 case EXIF_TAG_GPS_INFO_IFD_POINTER:
103 CHECK_REC (EXIF_IFD_GPS);
104- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
105+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
106+ recursion_cost + level_cost(n));
107 break;
108 case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
109 CHECK_REC (EXIF_IFD_INTEROPERABILITY);
110- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
111+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
112+ recursion_cost + level_cost(n));
113 break;
114 case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
115 thumbnail_offset = o;
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index b550a1125c..4cb7e6b8dd 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -5,7 +5,9 @@ LICENSE = "LGPLv2.1"
5LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" 5LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
6 6
7SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ 7SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
8 file://CVE-2017-7544.patch" 8 file://CVE-2017-7544.patch \
9 file://CVE-2016-6328.patch \
10 file://CVE-2018-20030.patch"
9 11
10SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" 12SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
11SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" 13SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"