From ea0d41cdfb46b683b3421fec3733e83dbd05a6ab Mon Sep 17 00:00:00 2001 From: Lee Chee Yang Date: Thu, 9 Jul 2020 00:07:49 +0300 Subject: libexif: fix CVE-2020-13114 (From OE-Core rev: 2e497029ee00babbc50f3c1d99580230bc46155c) (From OE-Core rev: 221e42c20148bb57986dfa862b352b9264694003) Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- .../libexif/libexif/CVE-2020-13114.patch | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch (limited to 'meta/recipes-support/libexif/libexif/CVE-2020-13114.patch') diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 0000000000..06b8b46c21 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch @@ -0,0 +1,73 @@ +From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 16 May 2020 19:32:30 +0200 +Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote + + subtags. + +A malicious file could be crafted to cause extremely large values in some +tags without tripping any buffer range checks. This is bad with the libexif +representation of Canon MakerNotes because some arrays are turned into +individual tags that the application must loop around. + +The largest value I've seen for failsafe_size in a (very small) sample of valid +Canon files is <5000. The limit is set two orders of magnitude larger to avoid +tripping up falsely in case some models use much larger values. + +Patch from Google. + +CVE-2020-13114 + +Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab] +CVE: CVE-2020-13114 +Signed-off-by: Lee Chee Yang +--- + libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c +index eb53598..72fd7a3 100644 +--- a/libexif/canon/exif-mnote-data-canon.c ++++ b/libexif/canon/exif-mnote-data-canon.c +@@ -32,6 +32,9 @@ + + #define DEBUG + ++/* Total size limit to prevent abuse by DoS */ ++#define FAILSAFE_SIZE_MAX 1000000L ++ + static void + exif_mnote_data_canon_clear (ExifMnoteDataCanon *n) + { +@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; + ExifShort c; + size_t i, tcount, o, datao; ++ long failsafe_size = 0; + + if (!n || !buf || !buf_size) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, +@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + memcpy (n->entries[tcount].data, buf + dataofs, s); + } + ++ /* Track the size of decoded tag data. A malicious file could ++ * be crafted to cause extremely large values here without ++ * tripping any buffer range checks. This is especially bad ++ * with the libexif representation of Canon MakerNotes because ++ * some arrays are turned into individual tags that the ++ * application must loop around. */ ++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); ++ ++ if (failsafe_size > FAILSAFE_SIZE_MAX) { ++ /* Abort if the total size of the data in the tags extraordinarily large, */ ++ exif_mem_free (ne->mem, n->entries[tcount].data); ++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", ++ failsafe_size, FAILSAFE_SIZE_MAX); ++ break; ++ } ++ + /* Tag was successfully parsed */ + ++tcount; + } -- cgit v1.2.3-54-g00ecf