NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/exiv2: fix CVE-2019-17402

Browse Source 
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2020-02-29 22:32:03 +01:00 committed by Yann E. MORIN
parent ffb50125b0
commit d383b46ac1
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch Normal file
View File

@ -0,0 +1,32 @@
From b7890776c62398ca1005e8edc32786859d60fcf7 Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH] crwimage: Check offset and size against total size
Corrupted or specially crafted CRW images might exceed the overall
buffersize.
Fixes #1019
(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
[Retrieved (and slightly updated to keep only the fix) from:
https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/crwimage_int.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 29311fdb7..c0d955350 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -268,6 +268,9 @@ namespace Exiv2 {
#ifdef EXIV2_DEBUG_MESSAGES
std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
#endif
+ if (this->offset() + this->size() > size)
+ throw Error(kerOffsetOutOfRange);
+
readDirectory(pData + offset(), this->size(), byteOrder);
#ifdef EXIV2_DEBUG_MESSAGES
std::cout << "<---- 0x" << std::hex << tag() << "\n";

3
package/exiv2/exiv2.mk
View File

@ -10,6 +10,9 @@ EXIV2_INSTALL_STAGING = YES
EXIV2_LICENSE = GPL-2.0+, BSD-3-Clause
EXIV2_LICENSE_FILES = COPYING COPYING-CMAKE-SCRIPTS
# 0001-crwimage-Check-offset-and-size-against-total-size.patch
EXIV2_IGNORE_CVES += CVE-2019-17402
EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
# The following CMake variable disables a TRY_RUN call in the -pthread