libexif: Update to 0.6.22
libexif-0.6.22 (2020-05-18):
* New translations: ms
* Updated translations for most languages
* Fixed C89 compatibility
* Fixed warnings on recent versions of autoconf
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
* Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
* CVE-2018-20030: Fix for recursion DoS
* CVE-2020-13114: Time consumption DoS when parsing canon array markers
* CVE-2020-13113: Potential use of uninitialized memory
* CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
* CVE-2020-0093: read overflow
* CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
* CVE-2020-12767: fixed division by zero
* CVE-2016-6328: fixed integer overflow when parsing maker notes
* CVE-2017-7544: fixed buffer overread
This commit is contained in:
nia
parent
40e23f9c4c
commit
57ad100932
4 changed files with 15 additions and 102 deletions
|
|
@ -1,10 +1,11 @@
|
|||
# $NetBSD: Makefile,v 1.47 2020/03/25 11:47:23 nia Exp $
|
||||
# $NetBSD: Makefile,v 1.48 2020/05/19 11:20:00 nia Exp $
|
||||
|
||||
DISTNAME= libexif-0.6.21
|
||||
PKGREVISION= 2
|
||||
DISTNAME= libexif-0.6.22
|
||||
CATEGORIES= graphics
|
||||
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libexif/}
|
||||
EXTRACT_SUFX= .tar.bz2
|
||||
MASTER_SITES= ${MASTER_SITE_GITHUB:=libexif/}
|
||||
GITHUB_PROJECT= libexif
|
||||
GITHUB_RELEASE= ${DISTNAME:S/./_/g}-release
|
||||
EXTRACT_SUFX= .tar.xz
|
||||
|
||||
MAINTAINER= adam@NetBSD.org
|
||||
HOMEPAGE= https://libexif.github.io/
|
||||
|
|
@ -13,7 +14,7 @@ LICENSE= gnu-lgpl-v2.1
|
|||
|
||||
USE_LIBTOOL= yes
|
||||
USE_PKGLOCALEDIR= yes
|
||||
USE_TOOLS+= gmake
|
||||
USE_TOOLS+= gmake msgfmt msgmerge xgettext
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ENV+= ac_cv_path_DOXYGEN=false
|
||||
PKGCONFIG_OVERRIDE= libexif.pc.in
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
@comment $NetBSD: PLIST,v 1.21 2012/07/13 16:35:25 adam Exp $
|
||||
@comment $NetBSD: PLIST,v 1.22 2020/05/19 11:20:00 nia Exp $
|
||||
include/libexif/_stdint.h
|
||||
include/libexif/exif-byte-order.h
|
||||
include/libexif/exif-content.h
|
||||
|
|
@ -21,6 +21,7 @@ share/doc/libexif/COPYING
|
|||
share/doc/libexif/ChangeLog
|
||||
share/doc/libexif/NEWS
|
||||
share/doc/libexif/README
|
||||
share/doc/libexif/SECURITY.md
|
||||
share/locale/be/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/bs/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/cs/LC_MESSAGES/libexif-12.mo
|
||||
|
|
@ -33,6 +34,7 @@ share/locale/es/LC_MESSAGES/libexif-12.mo
|
|||
share/locale/fr/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/it/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/ja/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/ms/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/nl/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/pl/LC_MESSAGES/libexif-12.mo
|
||||
share/locale/pt/LC_MESSAGES/libexif-12.mo
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
$NetBSD: distinfo,v 1.31 2020/03/25 11:47:23 nia Exp $
|
||||
$NetBSD: distinfo,v 1.32 2020/05/19 11:20:00 nia Exp $
|
||||
|
||||
SHA1 (libexif-0.6.21.tar.bz2) = a52219b12dbc8d33fc096468591170fda71316c0
|
||||
RMD160 (libexif-0.6.21.tar.bz2) = 979f06096b7271d8713c1766e0ad5dfabb06c531
|
||||
SHA512 (libexif-0.6.21.tar.bz2) = 4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35
|
||||
Size (libexif-0.6.21.tar.bz2) = 1368435 bytes
|
||||
SHA1 (patch-libexif_exif-data.c) = 3518902f95665b53a62ba4e7fdc0b146fb4480dc
|
||||
SHA1 (libexif-0.6.22.tar.xz) = b396c562dbf44567ef796f324e7760b15e657523
|
||||
RMD160 (libexif-0.6.22.tar.xz) = e34ce907a658d4883894655bd11c6dff2b06cf9d
|
||||
SHA512 (libexif-0.6.22.tar.xz) = 0a9e7bf0258ed98a794b667d45e8fc65299101a2a2d2e39c358715b20b003beff258782f0736cd5b53978428a2f878a989f303bee249a978850a065f33c534af
|
||||
Size (libexif-0.6.22.tar.xz) = 1347040 bytes
|
||||
|
|
|
|||
|
|
@ -1,89 +0,0 @@
|
|||
$NetBSD: patch-libexif_exif-data.c,v 1.2 2020/03/25 11:47:23 nia Exp $
|
||||
|
||||
Fix for CVE-2017-7544:
|
||||
https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a.patch
|
||||
|
||||
Fix for CVE-2019-9278:
|
||||
https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch
|
||||
|
||||
--- libexif/exif-data.c.orig 2012-07-12 18:31:56.000000000 +0000
|
||||
+++ libexif/exif-data.c
|
||||
@@ -191,9 +191,15 @@ exif_data_load_data_entry (ExifData *dat
|
||||
doff = offset + 8;
|
||||
|
||||
/* Sanity checks */
|
||||
- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
|
||||
+ if (doff >= size) {
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
- "Tag data past end of buffer (%u > %u)", doff+s, size);
|
||||
+ "Tag starts past end of buffer (%u > %u)", doff, size);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (s > size - doff) {
|
||||
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
+ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -255,6 +261,12 @@ exif_data_save_data_entry (ExifData *dat
|
||||
exif_mnote_data_set_offset (data->priv->md, *ds - 6);
|
||||
exif_mnote_data_save (data->priv->md, &e->data, &e->size);
|
||||
e->components = e->size;
|
||||
+ if (exif_format_get_size (e->format) != 1) {
|
||||
+ /* e->format is taken from input code,
|
||||
+ * but we need to make sure it is a 1 byte
|
||||
+ * entity due to the multiplication below. */
|
||||
+ e->format = EXIF_FORMAT_UNDEFINED;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -308,13 +320,14 @@ exif_data_load_data_thumbnail (ExifData
|
||||
unsigned int ds, ExifLong o, ExifLong s)
|
||||
{
|
||||
/* Sanity checks */
|
||||
- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
|
||||
- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
- "Bogus thumbnail offset (%u) or size (%u).",
|
||||
- o, s);
|
||||
+ if (o >= ds) {
|
||||
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
|
||||
+ return;
|
||||
+ }
|
||||
+ if (s > ds - o) {
|
||||
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
|
||||
return;
|
||||
}
|
||||
-
|
||||
if (data->data)
|
||||
exif_mem_free (data->priv->mem, data->data);
|
||||
if (!(data->data = exif_data_alloc (data, s))) {
|
||||
@@ -903,7 +916,7 @@ exif_data_load_data (ExifData *data, con
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
"IFD 0 at %i.", (int) offset);
|
||||
|
||||
- /* Sanity check the offset, being careful about overflow */
|
||||
+ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
|
||||
if (offset > ds || offset + 6 + 2 > ds)
|
||||
return;
|
||||
|
||||
@@ -912,6 +925,7 @@ exif_data_load_data (ExifData *data, con
|
||||
|
||||
/* IFD 1 offset */
|
||||
n = exif_get_short (d + 6 + offset, data->priv->order);
|
||||
+ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
|
||||
if (offset + 6 + 2 + 12 * n + 4 > ds)
|
||||
return;
|
||||
|
||||
@@ -920,8 +934,8 @@ exif_data_load_data (ExifData *data, con
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
||||
"IFD 1 at %i.", (int) offset);
|
||||
|
||||
- /* Sanity check. */
|
||||
- if (offset > ds || offset + 6 > ds) {
|
||||
+ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
|
||||
+ if (offset > ds - 6) {
|
||||
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
|
||||
"ExifData", "Bogus offset of IFD1.");
|
||||
} else {
|
||||
Loading…
Reference in a new issue