From 4119376d66f2016dd60e5da6b36d90894b6a74f4 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 26 Oct 2017 22:58:28 +0200 Subject: gnu: exiv2: Add upstream security fixes. Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864. * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch, gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/image.scm (exiv2)[source]: Use them. --- .../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ++++++++++++++++++++++ gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 ++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14860.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch new file mode 100644 index 0000000000..69e65aeb6b --- /dev/null +++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch @@ -0,0 +1,66 @@ +Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 + +Copied from upstream: + +https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 + +From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Sat, 7 Oct 2017 23:08:36 +0200 +Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 + +The invalid memory dereference in +Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() +is caused further up the call-stack, by +v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() +passing an invalid pData pointer (pData points outside of the Tiff +file). pData can be set out of bounds in the (size > 4) branch where +baseOffset() and offset are added to pData_ without checking whether +the result is still in the file. As offset comes from an untrusted +source, an attacker can craft an arbitrarily large offset into the +file. + +This commit adds a check into the problematic branch, whether the +result of the addition would be out of bounds of the Tiff +file. Furthermore the whole operation is checked for possible +overflows. +--- + src/tiffvisitor.cpp | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp +index 4ab733d4..ef13542e 100644 +--- a/src/tiffvisitor.cpp ++++ b/src/tiffvisitor.cpp +@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") + #include + #include + #include ++#include + + // ***************************************************************************** + namespace { +@@ -1517,7 +1518,19 @@ namespace Exiv2 { + size = 0; + } + if (size > 4) { ++ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, ++ // as offset can be arbitrarily large ++ if ((static_cast(baseOffset()) > std::numeric_limits::max() - static_cast(offset)) ++ || (static_cast(baseOffset() + offset) > std::numeric_limits::max() - reinterpret_cast(pData_))) ++ { ++ throw Error(59); ++ } ++ if (pData_ + static_cast(baseOffset()) + static_cast(offset) > pLast_) { ++ throw Error(58); ++ } + pData = const_cast(pData_) + baseOffset() + offset; ++ ++ // check for size being invalid + if (size > static_cast(pLast_ - pData)) { + #ifndef SUPPRESS_WARNINGS + EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch new file mode 100644 index 0000000000..43e6076b71 --- /dev/null +++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-14860. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 +https://nvd.nist.gov/vuln/detail/CVE-2017-14860 + +Copied from upstream: + +https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce + +From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Fri, 6 Oct 2017 23:09:08 +0200 +Subject: [PATCH] Fix for CVE-2017-14860 + +A heap buffer overflow could occur in memcpy when icc.size_ is larger +than data.size_ - pad, as then memcpy would read out of bounds of data. + +This commit adds a sanity check to iccLength (= icc.size_): if it is +larger than data.size_ - pad (i.e. an overflow would be caused) an +exception is thrown. + +This fixes #71. +--- + src/jp2image.cpp | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 747145cf..748d39b5 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -269,10 +269,15 @@ namespace Exiv2 + std::cout << "Exiv2::Jp2Image::readMetadata: " + << "Color data found" << std::endl; + #endif +- long pad = 3 ; // 3 padding bytes 2 0 0 ++ const long pad = 3 ; // 3 padding bytes 2 0 0 + DataBuf data(subBox.length+8); + io_->read(data.pData_,data.size_); +- long iccLength = getULong(data.pData_+pad, bigEndian); ++ const long iccLength = getULong(data.pData_+pad, bigEndian); ++ // subtracting pad from data.size_ is safe: ++ // size_ is at least 8 and pad = 3 ++ if (iccLength > data.size_ - pad) { ++ throw Error(58); ++ } + DataBuf icc(iccLength); + ::memcpy(icc.pData_,data.pData_+pad,icc.size_); + #ifdef DEBUG -- cgit v1.2.3