packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 fix CVE-2021-29457 CVE-2021-29458

Browse Source 
From: @kerongw
Reviewed-by: @linker99,@yanan-rock
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2021-04-30 09:18:30 +08:00 committed by Gitee
commit 587356ebec
3 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-CVE-2021-29457.patch Normal file
View File

@ -0,0 +1,29 @@
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529
---
src/jp2image.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index b21f7f1..917d115 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -756,9 +756,10 @@ namespace Exiv2
#endif
box.length = io_->size() - io_->tell() + 8;
}
- if (box.length == 1)
+ if (box.length < 8)
{
- // FIXME. Special case. the real box size is given in another place.
+ // box is broken, so there is nothing we can do here
+ throw Error(kerCorruptedMetadata);
}
// Read whole box : Box header + Box data (not fixed size - can be null).
--
2.23.0

29
backport-CVE-2021-29458.patch Normal file
View File

@ -0,0 +1,29 @@
From c98d372b48adc6de859dc04e2e0c33441cfe136c Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:11:38 +0200
Subject: [PATCH] Fix out of buffer access in #1530
---
src/crwimage_int.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index a44a67e2c..9155e0042 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -1186,11 +1186,13 @@ namespace Exiv2 {
CiffComponent* cc = pHead->findComponent(pCrwMapping->crwTagId_,
pCrwMapping->crwDir_);
if (edX != edEnd || edY != edEnd || edO != edEnd) {
- uint32_t size = 28;
+ size_t size = 28;
if (cc && cc->size() > size) size = cc->size();
DataBuf buf(size);
std::memset(buf.pData_, 0x0, buf.size_);
- if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+ if (cc && cc->size() > 8) {
+ std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+ }
if (edX != edEnd && edX->size() == 4) {
edX->copy(buf.pData_, pHead->byteOrder());
}

10
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.26 Version: 0.26
Release: 23 Release: 24
Summary: Exif, IPTC and XMP metadata and the ICC Profile Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
@ -59,6 +59,8 @@ Patch6026: backport-CVE-2019-13109.patch
Patch6027: exiv2-CVE-2019-13111.patch Patch6027: exiv2-CVE-2019-13111.patch
Patch6028: CVE-2018-9145.patch Patch6028: CVE-2018-9145.patch
Patch6029: CVE-2021-3482.patch Patch6029: CVE-2021-3482.patch
Patch6030: backport-CVE-2021-29457.patch
Patch6031: backport-CVE-2021-29458.patch
Provides: exiv2-libs Provides: exiv2-libs
Obsoletes: exiv2-libs Obsoletes: exiv2-libs
@ -122,6 +124,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/ %{_datadir}/doc/html/
%changelog %changelog
* Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
- Type:cves
- ID:CVE-2021-29457 CVE-2021-29458
- SUG:NA
- DESC:fix CVE-2021-29457,CVE-2021-29458
* Thu Apr 22 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.26-23 * Thu Apr 22 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.26-23
- Type:cves - Type:cves
- ID:CVE-2021-3482 - ID:CVE-2021-3482