pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/graphics/libexif



Module Name:    pkgsrc
Committed By:   nia
Date:           Wed Mar 25 11:47:23 UTC 2020

Modified Files:
        pkgsrc/graphics/libexif: Makefile distinfo
        pkgsrc/graphics/libexif/patches: patch-libexif_exif-data.c

Log Message:
libexif: Apply upstream's fix for CVE-2019-9278


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 pkgsrc/graphics/libexif/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/graphics/libexif/distinfo
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/libexif/Makefile
diff -u pkgsrc/graphics/libexif/Makefile:1.46 pkgsrc/graphics/libexif/Makefile:1.47
--- pkgsrc/graphics/libexif/Makefile:1.46       Thu Feb 20 15:36:17 2020
+++ pkgsrc/graphics/libexif/Makefile    Wed Mar 25 11:47:23 2020
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2020/02/20 15:36:17 nia Exp $
+# $NetBSD: Makefile,v 1.47 2020/03/25 11:47:23 nia Exp $
 
 DISTNAME=      libexif-0.6.21
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=libexif/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/graphics/libexif/distinfo
diff -u pkgsrc/graphics/libexif/distinfo:1.30 pkgsrc/graphics/libexif/distinfo:1.31
--- pkgsrc/graphics/libexif/distinfo:1.30       Sat Oct 13 10:17:30 2018
+++ pkgsrc/graphics/libexif/distinfo    Wed Mar 25 11:47:23 2020
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.30 2018/10/13 10:17:30 leot Exp $
+$NetBSD: distinfo,v 1.31 2020/03/25 11:47:23 nia Exp $
 
 SHA1 (libexif-0.6.21.tar.bz2) = a52219b12dbc8d33fc096468591170fda71316c0
 RMD160 (libexif-0.6.21.tar.bz2) = 979f06096b7271d8713c1766e0ad5dfabb06c531
 SHA512 (libexif-0.6.21.tar.bz2) = 4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35
 Size (libexif-0.6.21.tar.bz2) = 1368435 bytes
-SHA1 (patch-libexif_exif-data.c) = 50934bfb6686d411f0277d6e0868596347f5b5a5
+SHA1 (patch-libexif_exif-data.c) = 3518902f95665b53a62ba4e7fdc0b146fb4480dc

Index: pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c
diff -u pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c:1.1 pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c:1.2
--- pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c:1.1       Sat Oct 13 10:17:30 2018
+++ pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c   Wed Mar 25 11:47:23 2020
@@ -1,20 +1,32 @@
-$NetBSD: patch-libexif_exif-data.c,v 1.1 2018/10/13 10:17:30 leot Exp $
+$NetBSD: patch-libexif_exif-data.c,v 1.2 2020/03/25 11:47:23 nia Exp $
 
-Backport patch to fix CVE-2017-7544 from upstream commit id
-c39acd1692023b26290778a02a9232c873f9d71a:
+Fix for CVE-2017-7544:
+https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a.patch
 
- <https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a>
-
-On saving makernotes, make sure the makernote container tags has a type with 1
-byte components.
-
-Fixes (at least):
- https://sourceforge.net/p/libexif/bugs/130
- https://sourceforge.net/p/libexif/bugs/129
+Fix for CVE-2019-9278:
+https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch
 
 --- libexif/exif-data.c.orig   2012-07-12 18:31:56.000000000 +0000
 +++ libexif/exif-data.c
-@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+@@ -191,9 +191,15 @@ exif_data_load_data_entry (ExifData *dat
+               doff = offset + 8;
+ 
+       /* Sanity checks */
+-      if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++      if (doff >= size) {
+               exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-                                "Tag data past end of buffer (%u > %u)", doff+s, size);       
++                                "Tag starts past end of buffer (%u > %u)", doff, size);
++              return 0;
++      }
++
++      if (s > size - doff) {
++              exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++                                "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+               return 0;
+       }
+ 
+@@ -255,6 +261,12 @@ exif_data_save_data_entry (ExifData *dat
                        exif_mnote_data_set_offset (data->priv->md, *ds - 6);
                        exif_mnote_data_save (data->priv->md, &e->data, &e->size);
                        e->components = e->size;
@@ -27,3 +39,51 @@ Fixes (at least):
                }
        }
  
+@@ -308,13 +320,14 @@ exif_data_load_data_thumbnail (ExifData 
+                              unsigned int ds, ExifLong o, ExifLong s)
+ {
+       /* Sanity checks */
+-      if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+-              exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-                        "Bogus thumbnail offset (%u) or size (%u).",
+-                        o, s);
++      if (o >= ds) {
++              exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++              return;
++      }
++      if (s > ds - o) {
++              exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+               return;
+       }
+-
+       if (data->data) 
+               exif_mem_free (data->priv->mem, data->data);
+       if (!(data->data = exif_data_alloc (data, s))) {
+@@ -903,7 +916,7 @@ exif_data_load_data (ExifData *data, con
+       exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
+                 "IFD 0 at %i.", (int) offset);
+ 
+-      /* Sanity check the offset, being careful about overflow */
++      /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+       if (offset > ds || offset + 6 + 2 > ds)
+               return;
+ 
+@@ -912,6 +925,7 @@ exif_data_load_data (ExifData *data, con
+ 
+       /* IFD 1 offset */
+       n = exif_get_short (d + 6 + offset, data->priv->order);
++      /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+       if (offset + 6 + 2 + 12 * n + 4 > ds)
+               return;
+ 
+@@ -920,8 +934,8 @@ exif_data_load_data (ExifData *data, con
+               exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+                         "IFD 1 at %i.", (int) offset);
+ 
+-              /* Sanity check. */
+-              if (offset > ds || offset + 6 > ds) {
++              /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++              if (offset > ds - 6) {
+                       exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+                                 "ExifData", "Bogus offset of IFD1.");
+               } else {



Home | Main Index | Thread Index | Old Index