From 19862337ea7cef77b298b2bc30c73e04aa08ec76 Mon Sep 17 00:00:00 2001 From: linker Date: Sat, 8 May 2021 16:46:12 +0800 Subject: [PATCH 1/3] fix cve-2021-29470 --- CVE-2021-3482.patch | 57 +++++++++++++++++++++++++++++++++++ backport-CVE-2021-29470.patch | 39 ++++++++++++++++++++++++ exiv2.spec | 10 +++++- 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3482.patch create mode 100644 backport-CVE-2021-29470.patch diff --git a/CVE-2021-3482.patch b/CVE-2021-3482.patch new file mode 100644 index 0000000..1117ed6 --- /dev/null +++ b/CVE-2021-3482.patch @@ -0,0 +1,57 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index a81e68f..8e36276 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$") + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -345,7 +346,7 @@ namespace Exiv2 + if (io_->error()) throw Error(14); + if (bufRead != rawData.size_) throw Error(20); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -484,6 +485,7 @@ namespace Exiv2 + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if ( bPrint ) { + out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << " | " ; +@@ -560,12 +562,13 @@ namespace Exiv2 + if (bufRead != rawData.size_) throw Error(20); + + if ( bPrint ){ +- out << Internal::binaryToString(rawData,40,0); ++ out << Internal::binaryToString( ++ rawData, rawData.size_>40?40:rawData.size_, 0); + out.flush(); + } + lf(out,bLF); + +- if(bIsExif && bRecursive && rawData.size_ > 0) ++ if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long" + { + if ( (rawData.pData_[0] == rawData.pData_[1]) + && (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' ) +-- +2.23.0 + diff --git a/backport-CVE-2021-29470.patch b/backport-CVE-2021-29470.patch new file mode 100644 index 0000000..bd4b8b2 --- /dev/null +++ b/backport-CVE-2021-29470.patch @@ -0,0 +1,39 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header + +--- + src/jp2image.cpp | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 917d115..0825d99 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -626,15 +626,18 @@ namespace Exiv2 + void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) + { + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space +- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? +- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? ++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; +- int32_t length = getLong((byte*)&pBox->length, bigEndian); +- int32_t count = sizeof (Jp2BoxHeader); ++ uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast(output.size_), Exiv2::kerCorruptedMetadata); ++ uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.23.0 + diff --git a/exiv2.spec b/exiv2.spec index 3cf63c7..766cc06 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,6 +1,6 @@ Name: exiv2 Version: 0.26 -Release: 23 +Release: 24 Summary: Exif, IPTC and XMP metadata and the ICC Profile License: GPLv2+ URL: http://www.exiv2.org/ @@ -60,6 +60,8 @@ Patch6027: exiv2-CVE-2019-13111.patch Patch6028: CVE-2018-9145.patch Patch6029: backport-CVE-2021-29457.patch Patch6030: backport-CVE-2021-29458.patch +Patch6031: CVE-2021-3482.patch +Patch6032: backport-CVE-2021-29470 Provides: exiv2-libs Obsoletes: exiv2-libs @@ -123,6 +125,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %{_datadir}/doc/html/ %changelog +* Sat May 08 2021 wangkerong - 0.26-24 +- Type:cves +- ID:CVE-2021-29470 CVE-2021-3482 +- SUG:NA +- DESC:fix CVE-2021-29470,CVE-2021-3482 + * Thu Apr 29 2021 wangkerong - 0.26-23 - Type:cves - ID:CVE-2021-29457 CVE-2021-29458 -- Gitee From 2099523088105bc937a1221300487d4750843ec9 Mon Sep 17 00:00:00 2001 From: linker Date: Sat, 8 May 2021 17:03:37 +0800 Subject: [PATCH 2/3] fix cve-2021-29470 --- backport-CVE-2021-3482.patch | 57 ++++++++++++++++++++++++++++++++++++ exiv2.spec | 4 +-- 2 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2021-3482.patch diff --git a/backport-CVE-2021-3482.patch b/backport-CVE-2021-3482.patch new file mode 100644 index 0000000..1117ed6 --- /dev/null +++ b/backport-CVE-2021-3482.patch @@ -0,0 +1,57 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index a81e68f..8e36276 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$") + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -345,7 +346,7 @@ namespace Exiv2 + if (io_->error()) throw Error(14); + if (bufRead != rawData.size_) throw Error(20); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -484,6 +485,7 @@ namespace Exiv2 + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if ( bPrint ) { + out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << " | " ; +@@ -560,12 +562,13 @@ namespace Exiv2 + if (bufRead != rawData.size_) throw Error(20); + + if ( bPrint ){ +- out << Internal::binaryToString(rawData,40,0); ++ out << Internal::binaryToString( ++ rawData, rawData.size_>40?40:rawData.size_, 0); + out.flush(); + } + lf(out,bLF); + +- if(bIsExif && bRecursive && rawData.size_ > 0) ++ if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long" + { + if ( (rawData.pData_[0] == rawData.pData_[1]) + && (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' ) +-- +2.23.0 + diff --git a/exiv2.spec b/exiv2.spec index 766cc06..610b7d7 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -60,8 +60,8 @@ Patch6027: exiv2-CVE-2019-13111.patch Patch6028: CVE-2018-9145.patch Patch6029: backport-CVE-2021-29457.patch Patch6030: backport-CVE-2021-29458.patch -Patch6031: CVE-2021-3482.patch -Patch6032: backport-CVE-2021-29470 +Patch6031: backport-CVE-2021-3482.patch +Patch6032: backport-CVE-2021-29470.patch Provides: exiv2-libs Obsoletes: exiv2-libs -- Gitee From fadb38c7c14d78d430a4be7c9d5fa12a9c700ecc Mon Sep 17 00:00:00 2001 From: kerongw Date: Sat, 8 May 2021 17:28:02 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20CVE-?= =?UTF-8?q?2021-3482.patch?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CVE-2021-3482.patch | 57 --------------------------------------------- 1 file changed, 57 deletions(-) delete mode 100644 CVE-2021-3482.patch diff --git a/CVE-2021-3482.patch b/CVE-2021-3482.patch deleted file mode 100644 index 1117ed6..0000000 --- a/CVE-2021-3482.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 -From: Robin Mills -Date: Mon, 5 Apr 2021 20:33:25 +0100 -Subject: [PATCH] fix_1522_jp2image_exif_asan - ---- - src/jp2image.cpp | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index a81e68f..8e36276 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$") - #include "image.hpp" - #include "image_int.hpp" - #include "basicio.hpp" -+#include "enforce.hpp" - #include "error.hpp" - #include "futils.hpp" - #include "types.hpp" -@@ -345,7 +346,7 @@ namespace Exiv2 - if (io_->error()) throw Error(14); - if (bufRead != rawData.size_) throw Error(20); - -- if (rawData.size_ > 0) -+ if (rawData.size_ > 8) // "II*\0long" - { - // Find the position of Exif header in bytes array. - long pos = ( (rawData.pData_[0] == rawData.pData_[1]) -@@ -484,6 +485,7 @@ namespace Exiv2 - position = io_->tell(); - box.length = getLong((byte*)&box.length, bigEndian); - box.type = getLong((byte*)&box.type, bigEndian); -+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); - - if ( bPrint ) { - out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << " | " ; -@@ -560,12 +562,13 @@ namespace Exiv2 - if (bufRead != rawData.size_) throw Error(20); - - if ( bPrint ){ -- out << Internal::binaryToString(rawData,40,0); -+ out << Internal::binaryToString( -+ rawData, rawData.size_>40?40:rawData.size_, 0); - out.flush(); - } - lf(out,bLF); - -- if(bIsExif && bRecursive && rawData.size_ > 0) -+ if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long" - { - if ( (rawData.pData_[0] == rawData.pData_[1]) - && (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' ) --- -2.23.0 - -- Gitee