update to 0.6.24

2023-08-18 10:14:42 +08:00 · 2023-08-18 10:14:42 +08:00 · 58c20521bc
commit 58c20521bc
parent ea2ec8e883
7 changed files with 6 additions and 163 deletions
--- a/CVE-2020-0198.patch
+++ b/CVE-2020-0198.patch
@ -1,58 +0,0 @@
-From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Mon, 8 Jun 2020 17:27:06 +0200
-Subject: [PATCH] fixed another unsigned integer overflow
-
-first fixed by google in android fork,
-https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
-
-(use a more generic overflow check method, also check second overflow instance.)
-
-https://security-tracker.debian.org/tracker/CVE-2020-0198
---
- libexif/exif-data.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index 8b280d3..b495726 100644
--- a/libexif/exif-data.c
-+++ b/libexif/exif-data.c
-@@ -47,6 +47,8 @@
- #undef JPEG_MARKER_APP1
- #define JPEG_MARKER_APP1 0xe1
- 
-+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
-+
- static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
- 
- struct _ExifDataPrivate
-@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
- 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
- 		return;
- 	}
-	if (s > ds - o) {
-+	if (CHECKOVERFLOW(o,ds,s)) {
- 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
- 		return;
- 	}
-@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
- 	}
- 
- 	/* Read the number of entries */
-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
-+	if (CHECKOVERFLOW(offset, ds, 2)) {
- 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
-+			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
- 		return;
- 	}
- 	n = exif_get_short (d + offset, data->priv->order);
-@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
- 	offset += 2;
- 
- 	/* Check if we have enough data. */
-	if (offset + 12 * n > ds) {
-+	if (CHECKOVERFLOW(offset, ds, 12*n)) {
- 		n = (ds - offset) / 12;
- 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- 				  "Short data; only loading %hu entries...", n);
--- a/backport-fuzz-stack-overflow.patch
+++ b/backport-fuzz-stack-overflow.patch
@ -1,34 +0,0 @@
-From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Mon, 6 Sep 2021 08:42:56 +0200
-Subject: [PATCH] replace tail recursion by direct loop, in case the compiler
- does not translate it into a tail recursion it could be used to cause stack
- overruns (oss-fuzz)
-
---
- libexif/exif-loader.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
-index e376465..5c48faf 100644
--- a/libexif/exif-loader.c
-+++ b/libexif/exif-loader.c
-@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
- {
- 	unsigned int i;
- 
-+begin:
- 	if (!eld || (len && !buf)) 
- 		return 0;
- 
-@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
- 	 * to read all data we need. Fill it with new data.
- 	 */
- 	eld->b_len = 0;
-	return exif_loader_write (eld, buf, len);
-+	goto begin;
- }
- 
- ExifLoader *
-- 
-2.27.0
--- a/backport-fuzz-timeout-and-out-of-memory.patch
+++ b/backport-fuzz-timeout-and-out-of-memory.patch
@ -1,38 +0,0 @@
-From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Sat, 30 Jan 2021 14:06:08 +0100
-Subject: [PATCH] limit the amount of tags we allow in the makernote here.
-
-due to memory layout the max amount of 65536 tags could be used
-to exhaust lots of memory and time during parsing,
-as each tag can reuse the same memory range.
-
-(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
-
-This fixes OSS-FUZZ issue 27280.
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
---
- libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
-index 45e4bc5..0c68d51 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
-+++ b/libexif/olympus/exif-mnote-data-olympus.c
-@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
- 	c = exif_get_short (buf + o2, n->order);
- 	o2 += 2;
- 
-+	/* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
-+	 * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
-+	if (c > 300) {
-+		exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
-+		return;
-+	}
-+
- 	/* Remove any old entries */
- 	exif_mnote_data_olympus_clear (n);
- 
-- 
-2.27.0
--- a/libexif-0_6_22-release.tar.gz
+++ b/libexif-0_6_22-release.tar.gz
--- a/libexif-0_6_24-release.tar.gz
+++ b/libexif-0_6_24-release.tar.gz
--- a/libexif-bugfix-integer-overflow-pentax.patch
+++ b/libexif-bugfix-integer-overflow-pentax.patch
@ -1,25 +0,0 @@
-From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001
-From: songnannan2 <songnannan2@huawei.com>
-Date: Tue, 18 Feb 2020 23:00:27 +0800
-Subject: [PATCH] bugfix about can not be represented in type int
-
---
- libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
-index dcb1560..691a2bd 100644
--- a/libexif/pentax/mnote-pentax-entry.c
-+++ b/libexif/pentax/mnote-pentax-entry.c
-@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
- 			CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen);
- 			CC2 (entry->components, 1, 2, val, maxlen);
- 			vs = exif_get_short (entry->data, entry->order);
-			vs2 = exif_get_short (entry->data+2, entry->order) << 16;
-+			vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16;
- 
- 			/* search the tag */
- 			for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++);
-- 
-2.19.1
-
--- a/libexif.spec
+++ b/libexif.spec
@ -1,17 +1,12 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
-Version:        0.6.22
-Release:        3
+Version:        0.6.24
+Release:        1
 License:        LGPLv2+
 URL:            https://libexif.github.io/

 Source0:        https://github.com/libexif/libexif/archive/libexif-%(echo %{version} | sed "s/\./_/g")-release.tar.gz

-Patch0:         CVE-2020-0198.patch
-Patch6000:	backport-fuzz-stack-overflow.patch
-Patch6001:	backport-fuzz-timeout-and-out-of-memory.patch
-Patch9000:	libexif-bugfix-integer-overflow-pentax.patch
-
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig

 %description
@ -31,7 +26,7 @@ for writing programs that use libexif.
 %package_help

 %prep
-%autosetup -n libexif-libexif-0_6_22-release -p1 
+%autosetup -n libexif-libexif-0_6_24-release -p1 

 %build
 autoreconf -fiv
@ -70,6 +65,9 @@ make check
 %doc libexif-api.html NEWS

 %changelog
+* Fri Aug 18 2023 wangqia <wangqia@uniontech.com> - 0.6.24-1
+- update to 0.6.24
+
 * Tue Oct 18 2022 wangkerong <wangkerong@h-partners.com> - 0.6.21-3
 - fix fuzz test error