packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 fix CVE-2019-13109

Browse Source 
Merge pull request !5 from wangchen/exiv2-branch
This commit is contained in:
openeuler-ci-bot 2020-05-06 10:57:47 +08:00 committed by Gitee
commit b80d061fd9
4 changed files with 129 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
backport-CVE-2019-13109.patch Normal file
View File

@ -0,0 +1,36 @@
From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:31:50 +0100
Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
chunkLength`.
This fixes #790.
(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
---
src/pngimage.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 49c8336..435dd3b 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
#include "image_int.hpp"
#include "basicio.hpp"
#include "error.hpp"
+#include "enforce.hpp"
#include "futils.hpp"
#include "types.hpp"
@@ -480,6 +481,7 @@ namespace Exiv2 {
}
++iccOffset; // +1 = 'compressed' flag
+ enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
#ifdef DEBUG
--
1.8.3.1

47
backport-Fix-ICC-profile-in-PNG-images.patch Normal file
View File

@ -0,0 +1,47 @@
From 466acf56a13a1afa88cefbb249b535088d077c20 Mon Sep 17 00:00:00 2001
From: Luis Diaz Mas <piponazo@gmail.com>
Date: Tue, 25 Dec 2018 16:54:26 +0100
Subject: [PATCH] Fix ICC profile in PNG images
(cherry picked from commit 9a38066b8eddf3948696a3362aac29e012ebe690)
---
src/pngimage.cpp | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index ed7399a..49c8336 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -468,7 +468,20 @@ namespace Exiv2 {
}
else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4))
{
- zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag
+ // The ICC profile name can vary from 1-79 characters.
+ uint32_t iccOffset = 0;
+ while (iccOffset < 80 && iccOffset < dataOffset) {
+
+ const byte* profileName = cdataBuf.pData_ + iccOffset;
+ ++iccOffset;
+
+ if (*profileName == 0x00)
+ break;
+ }
+
+ ++iccOffset; // +1 = 'compressed' flag
+
+ zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
#ifdef DEBUG
std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset << std::endl;
std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
@@ -627,6 +640,7 @@ namespace Exiv2 {
// calculate CRC
uLong tmp = crc32(0L, Z_NULL, 0);
+ tmp = crc32(tmp, (const Bytef*)type ,typeLen);
tmp = crc32(tmp, (const Bytef*)header ,headerLen);
tmp = crc32(tmp, (const Bytef*)compressed.pData_,compressed.size_);
byte crc[4];
--
1.8.3.1

36
exiv2 Normal file
View File

@ -0,0 +1,36 @@
From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:31:50 +0100
Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
chunkLength`.
This fixes #790.
(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
---
src/pngimage.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 49c8336..435dd3b 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
#include "image_int.hpp"
#include "basicio.hpp"
#include "error.hpp"
+#include "enforce.hpp"
#include "futils.hpp"
#include "types.hpp"
@@ -480,6 +481,7 @@ namespace Exiv2 {
}
++iccOffset; // +1 = 'compressed' flag
+ enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
#ifdef DEBUG
--
1.8.3.1

11
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.26 Version: 0.26
Release: 18 Release: 19
Summary: Exif, IPTC and XMP metadata and the ICC Profile Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
@ -54,6 +54,8 @@ Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
Patch6022: CVE-2018-4868.patch Patch6022: CVE-2018-4868.patch
Patch6023: backport-CVE-2018-10772.patch Patch6023: backport-CVE-2018-10772.patch
Patch6024: CVE-2018-11037.patch Patch6024: CVE-2018-11037.patch
Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
Patch6026: backport-CVE-2019-13109.patch
Provides: exiv2-libs Provides: exiv2-libs
Obsoletes: exiv2-libs Obsoletes: exiv2-libs
@ -117,6 +119,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/ %{_datadir}/doc/html/
%changelog %changelog
* Tue Apr 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-19
- Type:cves
- ID:CVE-2019-13109
- SUG:NA
- DESC:fix CVE-2019-13109
fix ICC profile in PNG images
* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18 * Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
- Type:cves - Type:cves
- ID:CVE-2018-11037 - ID:CVE-2018-11037