diff --git a/CVE-2020-0198.patch b/CVE-2020-0198.patch deleted file mode 100644 index e0358c2..0000000 --- a/CVE-2020-0198.patch +++ /dev/null @@ -1,58 +0,0 @@ -From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Mon, 8 Jun 2020 17:27:06 +0200 -Subject: [PATCH] fixed another unsigned integer overflow - -first fixed by google in android fork, -https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 - -(use a more generic overflow check method, also check second overflow instance.) - -https://security-tracker.debian.org/tracker/CVE-2020-0198 ---- - libexif/exif-data.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/libexif/exif-data.c b/libexif/exif-data.c -index 8b280d3..b495726 100644 ---- a/libexif/exif-data.c -+++ b/libexif/exif-data.c -@@ -47,6 +47,8 @@ - #undef JPEG_MARKER_APP1 - #define JPEG_MARKER_APP1 0xe1 - -+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) -+ - static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; - - struct _ExifDataPrivate -@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); - return; - } -- if (s > ds - o) { -+ if (CHECKOVERFLOW(o,ds,s)) { - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); - return; - } -@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, - } - - /* Read the number of entries */ -- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { -+ if (CHECKOVERFLOW(offset, ds, 2)) { - exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", -- "Tag data past end of buffer (%u > %u)", offset+2, ds); -+ "Tag data past end of buffer (%u+2 > %u)", offset, ds); - return; - } - n = exif_get_short (d + offset, data->priv->order); -@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, - offset += 2; - - /* Check if we have enough data. */ -- if (offset + 12 * n > ds) { -+ if (CHECKOVERFLOW(offset, ds, 12*n)) { - n = (ds - offset) / 12; - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Short data; only loading %hu entries...", n); diff --git a/backport-fuzz-stack-overflow.patch b/backport-fuzz-stack-overflow.patch deleted file mode 100644 index 0b470c5..0000000 --- a/backport-fuzz-stack-overflow.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Mon, 6 Sep 2021 08:42:56 +0200 -Subject: [PATCH] replace tail recursion by direct loop, in case the compiler - does not translate it into a tail recursion it could be used to cause stack - overruns (oss-fuzz) - ---- - libexif/exif-loader.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c -index e376465..5c48faf 100644 ---- a/libexif/exif-loader.c -+++ b/libexif/exif-loader.c -@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len) - { - unsigned int i; - -+begin: - if (!eld || (len && !buf)) - return 0; - -@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len) - * to read all data we need. Fill it with new data. - */ - eld->b_len = 0; -- return exif_loader_write (eld, buf, len); -+ goto begin; - } - - ExifLoader * --- -2.27.0 diff --git a/backport-fuzz-timeout-and-out-of-memory.patch b/backport-fuzz-timeout-and-out-of-memory.patch deleted file mode 100644 index 7c9d976..0000000 --- a/backport-fuzz-timeout-and-out-of-memory.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Sat, 30 Jan 2021 14:06:08 +0100 -Subject: [PATCH] limit the amount of tags we allow in the makernote here. - -due to memory layout the max amount of 65536 tags could be used -to exhaust lots of memory and time during parsing, -as each tag can reuse the same memory range. - -(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless)) - -This fixes OSS-FUZZ issue 27280. - -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280 ---- - libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c -index 45e4bc5..0c68d51 100644 ---- a/libexif/olympus/exif-mnote-data-olympus.c -+++ b/libexif/olympus/exif-mnote-data-olympus.c -@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, - c = exif_get_short (buf + o2, n->order); - o2 += 2; - -+ /* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently. -+ * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */ -+ if (c > 300) { -+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c); -+ return; -+ } -+ - /* Remove any old entries */ - exif_mnote_data_olympus_clear (n); - --- -2.27.0 diff --git a/libexif-0_6_22-release.tar.gz b/libexif-0_6_22-release.tar.gz deleted file mode 100644 index 77c8215..0000000 Binary files a/libexif-0_6_22-release.tar.gz and /dev/null differ diff --git a/libexif-0_6_24-release.tar.gz b/libexif-0_6_24-release.tar.gz new file mode 100644 index 0000000..6333633 Binary files /dev/null and b/libexif-0_6_24-release.tar.gz differ diff --git a/libexif-bugfix-integer-overflow-pentax.patch b/libexif-bugfix-integer-overflow-pentax.patch deleted file mode 100644 index 9139d37..0000000 --- a/libexif-bugfix-integer-overflow-pentax.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001 -From: songnannan2 -Date: Tue, 18 Feb 2020 23:00:27 +0800 -Subject: [PATCH] bugfix about can not be represented in type int - ---- - libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c -index dcb1560..691a2bd 100644 ---- a/libexif/pentax/mnote-pentax-entry.c -+++ b/libexif/pentax/mnote-pentax-entry.c -@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, - CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen); - CC2 (entry->components, 1, 2, val, maxlen); - vs = exif_get_short (entry->data, entry->order); -- vs2 = exif_get_short (entry->data+2, entry->order) << 16; -+ vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16; - - /* search the tag */ - for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++); --- -2.19.1 - diff --git a/libexif.spec b/libexif.spec index 3dd9e6a..3b49475 100644 --- a/libexif.spec +++ b/libexif.spec @@ -1,17 +1,12 @@ Name: libexif Summary: Library for extracting extra information from image files -Version: 0.6.22 -Release: 3 +Version: 0.6.24 +Release: 1 License: LGPLv2+ URL: https://libexif.github.io/ Source0: https://github.com/libexif/libexif/archive/libexif-%(echo %{version} | sed "s/\./_/g")-release.tar.gz -Patch0: CVE-2020-0198.patch -Patch6000: backport-fuzz-stack-overflow.patch -Patch6001: backport-fuzz-timeout-and-out-of-memory.patch -Patch9000: libexif-bugfix-integer-overflow-pentax.patch - BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig %description @@ -31,7 +26,7 @@ for writing programs that use libexif. %package_help %prep -%autosetup -n libexif-libexif-0_6_22-release -p1 +%autosetup -n libexif-libexif-0_6_24-release -p1 %build autoreconf -fiv @@ -70,6 +65,9 @@ make check %doc libexif-api.html NEWS %changelog +* Fri Aug 18 2023 wangqia - 0.6.24-1 +- update to 0.6.24 + * Tue Oct 18 2022 wangkerong - 0.6.21-3 - fix fuzz test error