2 files changed, 76 insertions, 1 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+ subtags.
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks.  This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+Patch from Google.
+CVE-2020-13114
+Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
+/* Total size limit to prevent abuse by DoS */
+#define FAILSAFE_SIZE_MAX 1000000L
+
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+        ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+        ExifShort c;
+        size_t i, tcount, o, datao;
+       long failsafe_size = 0;
+ 
+        if (!n || !buf || !buf_size) {
+                exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+                        memcpy (n->entries[tcount].data, buf + dataofs, s);
+                }
+ 
+               /* Track the size of decoded tag data. A malicious file could
+                * be crafted to cause extremely large values here without
+                * tripping any buffer range checks.  This is especially bad
+                * with the libexif representation of Canon MakerNotes because
+                * some arrays are turned into individual tags that the
+                * application must loop around. */
+               failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
+
+               if (failsafe_size > FAILSAFE_SIZE_MAX) {
+                       /* Abort if the total size of the data in the tags extraordinarily large, */
+                       exif_mem_free (ne->mem, n->entries[tcount].data);
+                       exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+                                         "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
+                                         failsafe_size, FAILSAFE_SIZE_MAX);
+                       break;
+               }
+
+                /* Tag was successfully parsed */
+                ++tcount;
+        }
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847beab18..3f6fa32b25 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
           file://CVE-2017-7544.patch \
           file://CVE-2016-6328.patch \
-           file://CVE-2018-20030.patch"
+           file://CVE-2018-20030.patch \
+           file://CVE-2020-13114.patch \
+"
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"

diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 0000000000..06b8b46c21 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
		1	From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
		2	From: Dan Fandrich <dan@coneharvesters.com>
		3	Date: Sat, 16 May 2020 19:32:30 +0200
		4	Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
		5
		6	subtags.
		7
		8	A malicious file could be crafted to cause extremely large values in some
		9	tags without tripping any buffer range checks. This is bad with the libexif
		10	representation of Canon MakerNotes because some arrays are turned into
		11	individual tags that the application must loop around.
		12
		13	The largest value I've seen for failsafe_size in a (very small) sample of valid
		14	Canon files is <5000. The limit is set two orders of magnitude larger to avoid
		15	tripping up falsely in case some models use much larger values.
		16
		17	Patch from Google.
		18
		19	CVE-2020-13114
		20
		21	Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
		22	CVE: CVE-2020-13114
		23	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		24	---
		25	libexif/canon/exif-mnote-data-canon.c \| 21 +++++++++++++++++++++
		26	1 file changed, 21 insertions(+)
		27
		28	diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
		29	index eb53598..72fd7a3 100644
		30	--- a/libexif/canon/exif-mnote-data-canon.c
		31	+++ b/libexif/canon/exif-mnote-data-canon.c
		32	@@ -32,6 +32,9 @@
		33
		34	#define DEBUG
		35
		36	+/* Total size limit to prevent abuse by DoS */
		37	+#define FAILSAFE_SIZE_MAX 1000000L
		38	+
		39	static void
		40	exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
		41	{
		42	@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
		43	ExifMnoteDataCanon n = (ExifMnoteDataCanon ) ne;
		44	ExifShort c;
		45	size_t i, tcount, o, datao;
		46	+ long failsafe_size = 0;
		47
		48	if (!n \|\| !buf \|\| !buf_size) {
		49	exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
		50	@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
		51	memcpy (n->entries[tcount].data, buf + dataofs, s);
		52	}
		53
		54	+ /* Track the size of decoded tag data. A malicious file could
		55	+ * be crafted to cause extremely large values here without
		56	+ * tripping any buffer range checks. This is especially bad
		57	+ * with the libexif representation of Canon MakerNotes because
		58	+ * some arrays are turned into individual tags that the
		59	+ * application must loop around. */
		60	+ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
		61	+
		62	+ if (failsafe_size > FAILSAFE_SIZE_MAX) {
		63	+ /* Abort if the total size of the data in the tags extraordinarily large, */
		64	+ exif_mem_free (ne->mem, n->entries[tcount].data);
		65	+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
		66	+ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
		67	+ failsafe_size, FAILSAFE_SIZE_MAX);
		68	+ break;
		69	+ }
		70	+
		71	/* Tag was successfully parsed */
		72	++tcount;
		73	}


diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb index d847beab18..3f6fa32b25 100644 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \	7	SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
8	file://CVE-2017-7544.patch \	8	file://CVE-2017-7544.patch \
9	file://CVE-2016-6328.patch \	9	file://CVE-2016-6328.patch \
10	file://CVE-2018-20030.patch"	10	file://CVE-2018-20030.patch \
		11	file://CVE-2020-13114.patch \
		12	"
11		13
12	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"	14	SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
13	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"	15	SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"