packages/libexif
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!6 update to 0.6.22

Browse Source 
Merge pull request !6 from yanan-rock/master
This commit is contained in:
openeuler-ci-bot 2020-08-10 14:09:24 +08:00 committed by Gitee
commit 1d25cd2c45
11 changed files with 75 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
41bd04234b104312f54d25822f68738ba8d7133d.patch
View File

@ -1,60 +0,0 @@
From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:44:44 +0200
Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
makernote entries.
This should fix:
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
---
libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index d03d159..ea0429a 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
case EXIF_FORMAT_SHORT:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 2)
+ break;
vs = exif_get_short (data, entry->order);
snprintf (val+len, maxlen-len, "%i ", vs);
len = strlen(val);
data += 2;
+ sizeleft -= 2;
}
}
break;
case EXIF_FORMAT_LONG:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 4)
+ break;
vl = exif_get_long (data, entry->order);
snprintf (val+len, maxlen-len, "%li", (long int) vl);
len = strlen(val);
data += 4;
+ sizeleft -= 4;
}
}
break;
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
break;
}
- return (val);
+ return val;
}

93
CVE-2018-20030.patch
View File

@ -1,93 +0,0 @@
--- libexif-0.6.21-bak/libexif/exif-data.c 2019-06-13 21:49:15.711000000 -0400
+++ libexif-0.6.21/libexif/exif-data.c 2019-06-13 23:31:41.672000000 -0400
@@ -35,6 +35,7 @@
#include <libexif/olympus/exif-mnote-data-olympus.h>
#include <libexif/pentax/exif-mnote-data-pentax.h>
+#include <math.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \
break; \
}
+/*! Calculate the recursion cost added by one level of IFD loading.
+ *
+ * The work performed is related to the cost in the exponential relation
+ * work=1.1**cost
+ */
+static unsigned int
+level_cost(unsigned int n)
+{
+ static const double log_1_1 = 0.09531017980432493;
+
+ /* Adding 0.1 protects against the case where n==1 */
+ return ceil(log(n + 0.1)/log_1_1);
+}
+
/*! Load data for an IFD.
*
* \param[in,out] data #ExifData
@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \
* \param[in] d pointer to buffer containing raw IFD data
* \param[in] ds size of raw data in buffer at \c d
* \param[in] offset offset into buffer at \c d at which IFD starts
- * \param[in] recursion_depth number of times this function has been
- * recursively called without returning
+ * \param[in] recursion_cost factor indicating how expensive this recursive
+ * call could be
*/
static void
exif_data_load_data_content (ExifData *data, ExifIfd ifd,
const unsigned char *d,
- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
{
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
ExifShort n;
@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *d
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
- if (recursion_depth > 30) {
+ if (recursion_cost > 170) {
+ /*
+ * recursion_cost is a logarithmic-scale indicator of how expensive this
+ * recursive call might end up being. It is an indicator of the depth of
+ * recursion as well as the potential for worst-case future recursive
+ * calls. Since it's difficult to tell ahead of time how often recursion
+ * will occur, this assumes the worst by assuming every tag could end up
+ * causing recursion.
+ * The value of 170 was chosen to limit typical EXIF structures to a
+ * recursive depth of about 6, but pathological ones (those with very
+ * many tags) to only 2.
+ */
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Deep recursion detected!");
+ "Deep/expensive recursion detected!");
return;
}
@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *d
switch (tag) {
case EXIF_TAG_EXIF_IFD_POINTER:
CHECK_REC (EXIF_IFD_EXIF);
- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_GPS_INFO_IFD_POINTER:
CHECK_REC (EXIF_IFD_GPS);
- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
CHECK_REC (EXIF_IFD_INTEROPERABILITY);
- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
thumbnail_offset = o;

58
CVE-2020-0198.patch Normal file
View File

@ -0,0 +1,58 @@
From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Mon, 8 Jun 2020 17:27:06 +0200
Subject: [PATCH] fixed another unsigned integer overflow
first fixed by google in android fork,
https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
(use a more generic overflow check method, also check second overflow instance.)
https://security-tracker.debian.org/tracker/CVE-2020-0198
---
libexif/exif-data.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 8b280d3..b495726 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -47,6 +47,8 @@
#undef JPEG_MARKER_APP1
#define JPEG_MARKER_APP1 0xe1
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
struct _ExifDataPrivate
@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
return;
}
- if (s > ds - o) {
+ if (CHECKOVERFLOW(o,ds,s)) {
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
return;
}
@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
}
/* Read the number of entries */
- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+ if (CHECKOVERFLOW(offset, ds, 2)) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Tag data past end of buffer (%u > %u)", offset+2, ds);
+ "Tag data past end of buffer (%u+2 > %u)", offset, ds);
return;
}
n = exif_get_short (d + offset, data->priv->order);
@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
offset += 2;
/* Check if we have enough data. */
- if (offset + 12 * n > ds) {
+ if (CHECKOVERFLOW(offset, ds, 12*n)) {
n = (ds - offset) / 12;
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"Short data; only loading %hu entries...", n);

BIN
libexif-0.6.21.tar.bz2
View File

Binary file not shown.

17
libexif-0.6.21_CVE-2017-7544.patch
View File

@ -1,17 +0,0 @@
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..91f4c33 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
exif_mnote_data_set_offset (data->priv->md, *ds - 6);
exif_mnote_data_save (data->priv->md, &e->data, &e->size);
e->components = e->size;
+ if (exif_format_get_size (e->format) != 1) {
+ /* e->format is taken from input code,
+ * but we need to make sure it is a 1 byte
+ * entity due to the multiplication below. */
+ e->format = EXIF_FORMAT_UNDEFINED;
+ }
}
}

BIN
libexif-0_6_22-release.tar.gz Normal file
View File

Binary file not shown.

37
libexif-bugfix-division-0.patch
View File

@ -1,37 +0,0 @@
From d66dea055522290c1ef34e3ae914146cd52b5d8e Mon Sep 17 00:00:00 2001
From: songnannan2 <songnannan2@huawei.com>
Date: Sat, 15 Feb 2020 20:44:53 +0800
Subject: [PATCH] libexif: modification summary
---
libexif-0.6.21/libexif/exif-entry.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 54a90a2..436e8a7 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -1085,7 +1085,7 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
break;
}
d = (double) v_rat.numerator / (double) v_rat.denominator;
- if (d < 1)
+ if (d < 1 && d)
snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
else
snprintf (val, maxlen, "%i", (int) d);
@@ -1102,8 +1102,9 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
}
d = (double) v_srat.numerator / (double) v_srat.denominator;
snprintf (val, maxlen, _("%.02f EV"), d);
- d = 1. / pow (2, d);
- if (d < 1)
+ if (pow (2, d))
+ d = 1. / pow (2, d);
+ if (d < 1 && d)
snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
else
snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
--
2.19.1

25
libexif-bugfix-integer-overflow.patch
View File

@ -1,25 +0,0 @@
From c7c4de72c04b5b795ce8df9c49648431bd22ee7e Mon Sep 17 00:00:00 2001
From: songnannan2 <songnannan2@huawei.com>
Date: Mon, 17 Feb 2020 15:41:28 +0800
Subject: [PATCH] bugfix in Integer overflow
---
libexif/exif-loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexif-0.6.21/libexif/exif-loader.c b/libexif-0.6.21/libexif/exif-loader.c
index 317b86b..e376465 100644
--- a/libexif/exif-loader.c
+++ b/libexif/exif-loader.c
@@ -239,7 +239,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
break;
case EL_READ_SIZE_BYTE_24:
- eld->size |= eld->b[i] << 24;
+ eld->size |= (unsigned int)eld->b[i] << 24;
eld->state = EL_READ_SIZE_BYTE_16;
break;
case EL_READ_SIZE_BYTE_16:
--
2.19.1

36
libexif-bugfix-overflow.patch
View File

@ -1,36 +0,0 @@
From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Wed, 4 Jul 2018 11:06:09 +0200
Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
the end of a heap buffer. This was detected by the OSS Fuzz project.
Patch from Google.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
---
libexif/exif-entry.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 61260d3..a224ac2 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
d = 0.;
entry = exif_content_get_entry (
e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
- if (entry && entry->data &&
+ if (entry && entry->data && entry->size >= 7 &&
!strncmp ((char *)entry->data, "Minolta", 7)) {
entry = exif_content_get_entry (
e->parent->parent->ifd[EXIF_IFD_0],
EXIF_TAG_MODEL);
- if (entry && entry->data) {
+ if (entry && entry->data && entry->size >= 8) {
if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
d = 3.9;
else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))

30
libexif-bugfix-unsigned-int.patch
View File

@ -1,30 +0,0 @@
From cf37dc7934bbb10dc5d0c17db260a25aa2831595 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Sat, 18 Jan 2020 19:50:38 +0100
Subject: [PATCH] cast to unsigned int before shifting left
(weird integer promotion, a unsigned char will be first tried to be promoted to "int" apparently,
so we need to cast it to avoid implicit behaviour)
fixes https://github.com/libexif/libexif/issues/20
---
libexif/exif-utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
index 9083ddc..8a92907 100644
--- a/libexif/exif-utils.c
+++ b/libexif/exif-utils.c
@@ -132,9 +132,9 @@ exif_get_slong (const unsigned char *b, ExifByteOrder order)
if (!b) return 0;
switch (order) {
case EXIF_BYTE_ORDER_MOTOROLA:
- return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]);
+ return (((uint32_t)b[0] << 24) | ((uint32_t)b[1] << 16) | ((uint32_t)b[2] << 8) | (uint32_t)b[3]);
case EXIF_BYTE_ORDER_INTEL:
- return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
+ return (((uint32_t)b[3] << 24) | ((uint32_t)b[2] << 16) | ((uint32_t)b[1] << 8) | (uint32_t)b[0]);
}
/* Won't be reached */

33
libexif.spec
View File

@ -1,21 +1,17 @@
Name: libexif
Summary: Library for extracting extra information from image files
Version: 0.6.21
Release: 20
Version: 0.6.22
Release: 1
License: LGPLv2+
URL: https://libexif.github.io/
Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
Patch0: 41bd04234b104312f54d25822f68738ba8d7133d.patch
Patch6000: libexif-0.6.21_CVE-2017-7544.patch
Patch6001: CVE-2018-20030.patch
Patch6003: libexif-bugfix-division-0.patch
Patch6004: libexif-bugfix-integer-overflow.patch
Patch6005: libexif-bugfix-unsigned-int.patch
Patch6006: libexif-bugfix-overflow.patch
Patch9001: libexif-bugfix-integer-overflow-pentax.patch
%global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
Source0: https://github.com/libexif/libexif/archive/libexif-%{tarball_version}-release.tar.gz
BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig git
Patch0: CVE-2020-0198.patch
Patch9000: libexif-bugfix-integer-overflow-pentax.patch
BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig
%description
Most digital cameras produce EXIF files, which are JPEG files with
@ -25,6 +21,7 @@ allows you to parse an EXIF file and read the data from those tags.
%package devel
Summary: Files needed for libexif application development
Requires: %{name}%{?_isa} = %{version}-%{release} pkgconfig
Requires: pkgconfig
%description devel
The libexif-devel package contains the libraries and header files
@ -33,15 +30,18 @@ for writing programs that use libexif.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1 -S git
%autosetup -n libexif-libexif-%{tarball_version}-release -p1
%build
autoreconf -fiv
%configure
%configure --disable-static
%make_build
%install
%make_install
%delete_la
rm -rf %{buildroot}%{_datadir}/doc/libexif
cp -R doc/doxygen-output/libexif-api.html .
iconv -f latin1 -t utf-8 < COPYING > COPYING.utf8; cp COPYING.utf8 COPYING
iconv -f latin1 -t utf-8 < README > README.utf8; cp README.utf8 README
@ -62,15 +62,16 @@ make check
%defattr(-,root,root)
%{_includedir}/libexif
%{_libdir}/*.so
%{_libdir}/*.a
%{_libdir}/pkgconfig/*.pc
%exclude %{_datadir}/doc/libexif
%files help
%defattr(-,root,root)
%doc libexif-api.html NEWS
%changelog
* Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.22-1
- update to 0.6.22
* Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 0.6.21-20
- bugfix in oss-fuzz