aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-03-15 14:49:24 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-03-15 14:49:32 -0300
commit3e8ab963c14f906a03b0638a994acc710657355b (patch)
treeaf138334432337552cdb57122f965394e661885f
parentd70fe88da4bfe7c607cb04bb3925bd0e31e9f953 (diff)
downloadaports-3e8ab963c14f906a03b0638a994acc710657355b.tar.gz
aports-3e8ab963c14f906a03b0638a994acc710657355b.tar.bz2
aports-3e8ab963c14f906a03b0638a994acc710657355b.tar.xz
main/exiv2: fix CVE-2019-20421
See #11191
-rw-r--r--main/exiv2/APKBUILD8
-rw-r--r--main/exiv2/CVE-2019-20421.patch117
2 files changed, 123 insertions, 2 deletions
diff --git a/main/exiv2/APKBUILD b/main/exiv2/APKBUILD
index 75168bcdf4..18f34a6c32 100644
--- a/main/exiv2/APKBUILD
+++ b/main/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=exiv2
pkgver=0.27.2
-pkgrel=5
+pkgrel=6
pkgdesc="Exif and Iptc metadata manipulation library and tools."
url="https://exiv2.org"
arch="all"
@@ -12,10 +12,13 @@ makedepends="$depends_dev cmake"
subpackages="$pkgname-dev $pkgname-doc"
source="https://exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
CVE-2019-17402.patch
+ CVE-2019-20421.patch
"
builddir="$srcdir"/$pkgname-$pkgver-Source
# secfixes:
+# 0.27.2-r6:
+# - CVE-2019-20421
# 0.27.2-r2:
# - CVE-2019-17402
# 0.27.2-r0:
@@ -45,4 +48,5 @@ package() {
}
sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721 exiv2-0.27.2-Source.tar.gz
-da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch"
+da58d6cf6409304465c16a6c73af3731a75c59c0f3e16d740edd3f46308d3ba8ed8b5fc0473920b67b2aeb2b4bb66574aee4b0f57585d127f6e6a3f62b5c0766 CVE-2019-17402.patch
+b2b881e47e4cad8b04492f7475400af9f28fa8f9dfb1e96d4d0d8caa6a469e76aafc056023254446e1026be8270f1b094b5195fe44f18c87283f6c6d808c37ee CVE-2019-20421.patch"
diff --git a/main/exiv2/CVE-2019-20421.patch b/main/exiv2/CVE-2019-20421.patch
new file mode 100644
index 0000000000..76b88a1a75
--- /dev/null
+++ b/main/exiv2/CVE-2019-20421.patch
@@ -0,0 +1,117 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+---
+ src/jp2image.cpp | 25 +++++++++++++++----
+ tests/bugfixes/github/test_CVE_2017_17725.py | 4 +--
+ tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+ * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+ */
+
+-/*
+- File: jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+ return result;
+ }
+
++static void boxes_check(size_t b,size_t m)
++{
++ if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++ throw Error(kerCorruptedMetadata);
++ }
++}
++
+ void Jp2Image::readMetadata()
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+ Jp2BoxHeader subBox = {0,0};
+ Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
+ Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++ size_t boxes = 0 ;
++ size_t boxem = 1000 ; // boxes max
+
+ while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+ {
++ boxes_check(boxes++,boxem );
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+
+ while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+ {
++ boxes_check(boxes++, boxem) ;
+ subBox.length = getLong((byte*)&subBox.length, bigEndian);
+ subBox.type = getLong((byte*)&subBox.type, bigEndian);
++ if (subBox.length > io_->size() ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Exiv2::Jp2Image::readMetadata: "
+ << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+ }
+
+ io_->seek(restore,BasicIo::beg);
+- io_->seek(subBox.length, Exiv2::BasicIo::cur);
++ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ restore = io_->tell();
+ }
+ break;
+
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
++++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+ filename = "$data_path/poc_2017-12-12_issue188"
+ commands = ["$exiv2 " + filename]
+ stdout = [""]
+- stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
++ stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
+ """]
+ retval = [1]
+diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
+new file mode 100644
+index 000000000..415861188
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_1011.py
+@@ -0,0 +1,13 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, path
++
++class Test_issue_1011(metaclass=CaseMeta):
++
++ filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
++ commands = ["$exiv2 " + filename]
++ stdout = [""]
++ stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
++"""]
++ retval = [1]
+\ No newline at end of file