* [bug#29019] [PATCH] gnu: exiv2: Add upstream security fixes.
@ 2017-10-26 21:45 Marius Bakke
2017-10-26 22:42 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Marius Bakke @ 2017-10-26 21:45 UTC (permalink / raw)
To: 29019
Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864.
* gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch,
gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/image.scm (exiv2)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/image.scm | 2 +
.../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ++++++++++++++++++++++
gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 ++++++++++++++++
4 files changed, 118 insertions(+)
create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14860.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f318bcd49..cd683361d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -605,6 +605,8 @@ dist_patch_DATA = \
%D%/packages/patches/eudev-rules-directory.patch \
%D%/packages/patches/evilwm-lost-focus-bug.patch \
%D%/packages/patches/exim-CVE-2017-1000369.patch \
+ %D%/packages/patches/exiv2-CVE-2017-14860.patch \
+ %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \
%D%/packages/patches/fastcap-mulGlobal.patch \
%D%/packages/patches/fastcap-mulSetup.patch \
%D%/packages/patches/fasthenry-spAllocate.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index b53247de8..df8ac67e4 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -866,6 +866,8 @@ channels.")
version ".tar.gz")
(string-append "https://fossies.org/linux/misc/exiv2-"
version ".tar.gz")))
+ (patches (search-patches "exiv2-CVE-2017-14860.patch"
+ "exiv2-CVE-2017-14859-14862-14864.patch"))
(sha256
(base32
"1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
new file mode 100644
index 000000000..69e65aeb6
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
@@ -0,0 +1,66 @@
+Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607
+
+From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Sat, 7 Oct 2017 23:08:36 +0200
+Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859
+
+The invalid memory dereference in
+Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
+is caused further up the call-stack, by
+v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
+passing an invalid pData pointer (pData points outside of the Tiff
+file). pData can be set out of bounds in the (size > 4) branch where
+baseOffset() and offset are added to pData_ without checking whether
+the result is still in the file. As offset comes from an untrusted
+source, an attacker can craft an arbitrarily large offset into the
+file.
+
+This commit adds a check into the problematic branch, whether the
+result of the addition would be out of bounds of the Tiff
+file. Furthermore the whole operation is checked for possible
+overflows.
+---
+ src/tiffvisitor.cpp | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
+index 4ab733d4..ef13542e 100644
+--- a/src/tiffvisitor.cpp
++++ b/src/tiffvisitor.cpp
+@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include <iostream>
+ #include <iomanip>
+ #include <cassert>
++#include <limits>
+
+ // *****************************************************************************
+ namespace {
+@@ -1517,7 +1518,19 @@ namespace Exiv2 {
+ size = 0;
+ }
+ if (size > 4) {
++ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
++ // as offset can be arbitrarily large
++ if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
++ || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
++ {
++ throw Error(59);
++ }
++ if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
++ throw Error(58);
++ }
+ pData = const_cast<byte*>(pData_) + baseOffset() + offset;
++
++ // check for size being invalid
+ if (size > static_cast<uint32_t>(pLast_ - pData)) {
+ #ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Upper boundary of data for "
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
new file mode 100644
index 000000000..43e6076b7
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-14860.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
+https://nvd.nist.gov/vuln/detail/CVE-2017-14860
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
+
+From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Fri, 6 Oct 2017 23:09:08 +0200
+Subject: [PATCH] Fix for CVE-2017-14860
+
+A heap buffer overflow could occur in memcpy when icc.size_ is larger
+than data.size_ - pad, as then memcpy would read out of bounds of data.
+
+This commit adds a sanity check to iccLength (= icc.size_): if it is
+larger than data.size_ - pad (i.e. an overflow would be caused) an
+exception is thrown.
+
+This fixes #71.
+---
+ src/jp2image.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 747145cf..748d39b5 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -269,10 +269,15 @@ namespace Exiv2
+ std::cout << "Exiv2::Jp2Image::readMetadata: "
+ << "Color data found" << std::endl;
+ #endif
+- long pad = 3 ; // 3 padding bytes 2 0 0
++ const long pad = 3 ; // 3 padding bytes 2 0 0
+ DataBuf data(subBox.length+8);
+ io_->read(data.pData_,data.size_);
+- long iccLength = getULong(data.pData_+pad, bigEndian);
++ const long iccLength = getULong(data.pData_+pad, bigEndian);
++ // subtracting pad from data.size_ is safe:
++ // size_ is at least 8 and pad = 3
++ if (iccLength > data.size_ - pad) {
++ throw Error(58);
++ }
+ DataBuf icc(iccLength);
+ ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
+ #ifdef DEBUG
--
2.14.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [bug#29019] [PATCH] gnu: exiv2: Add upstream security fixes.
2017-10-26 21:45 [bug#29019] [PATCH] gnu: exiv2: Add upstream security fixes Marius Bakke
@ 2017-10-26 22:42 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2017-10-26 22:42 UTC (permalink / raw)
To: Marius Bakke; +Cc: 29019
Marius Bakke <mbakke@fastmail.com> skribis:
> Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864.
>
> * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch,
> gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.
> * gnu/packages/image.scm (exiv2)[source]: Use them.
Looks reasonable to me, thank you!
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-26 22:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-26 21:45 [bug#29019] [PATCH] gnu: exiv2: Add upstream security fixes Marius Bakke
2017-10-26 22:42 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).