NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
817d553018
kumquat-buildroot/package/libexif/0002-On-saving-makernotes-make-sure-the-makernote-contain.patch
Peter Korsgaard 81a4940d25 package/libexif: add post-0.6.21 upstream security fixes 
Fixes the following security issues:

- CVE-2016-6328: A vulnerability was found in libexif.  An integer overflow
  when parsing the MNOTE entry data of the input file.  This can cause
  Denial-of-Service (DoS) and Information Disclosure (disclosing some
  critical heap chunk metadata, even other applications' private data).

- CVE-2017-7544: libexif through 0.6.21 is vulnerable to out-of-bounds heap
  read vulnerability in exif_data_save_data_entry function in
  libexif/exif-data.c caused by improper length computation of the allocated
  data of an ExifMnote entry which can cause denial-of-service or possibly
  information disclosure.

- CVE-2018-20030: An error when processing the EXIF_IFD_INTEROPERABILITY and
  EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to
  exhaust available CPU resources.

- CVE-2019-9278: In libexif, there is a possible out of bounds write due to
  an integer overflow.  This could lead to remote escalation of privilege in
  the media content provider with no additional execution privileges needed.
  User interaction is needed for exploitation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-09 12:33:05 +01:00

42 lines
1.4 KiB
Diff
Raw Blame History

From c39acd1692023b26290778a02a9232c873f9d71a Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:38:56 +0200
Subject: [PATCH] On saving makernotes, make sure the makernote container tags
has a type with 1 byte components.
Fixes (at least):
https://sourceforge.net/p/libexif/bugs/130
https://sourceforge.net/p/libexif/bugs/129
CVE-2017-7544: libexif through 0.6.21 is vulnerable to out-of-bounds heap
read vulnerability in exif_data_save_data_entry function in
libexif/exif-data.c caused by improper length computation of the allocated
data of an ExifMnote entry which can cause denial-of-service or possibly
information disclosure.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
libexif/exif-data.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..91f4c33 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
exif_mnote_data_set_offset (data->priv->md, *ds - 6);
exif_mnote_data_save (data->priv->md, &e->data, &e->size);
e->components = e->size;
+ if (exif_format_get_size (e->format) != 1) {
+ /* e->format is taken from input code,
+ * but we need to make sure it is a 1 byte
+ * entity due to the multiplication below. */
+ e->format = EXIF_FORMAT_UNDEFINED;
+ }
}
}
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink