svn commit: r526071 - in head/graphics/libexif: . files
Danilo G. Baio
dbaio at FreeBSD.org
Thu Feb 13 22:59:13 UTC 2020
Author: dbaio
Date: Thu Feb 13 22:59:12 2020
New Revision: 526071
URL: https://svnweb.freebsd.org/changeset/ports/526071
Log:
graphics/libexif: Fix security vulnerabilities
- Fix CVE-2019-9278
In libexif, there is a possible out of bounds write due to an integer
overflow. This could lead to remote escalation of privilege in the media
content provider with no additional execution privileges needed. User
interaction is needed for exploitation.
- Fix a buffer read overflow in exif_entry_get_value
- Fix a buffer overread in exif_mnote_data_olympus_load
PR: 244060
Reported by: tj at mrsk.me (email)
Approved by: former maintainer
MFH: 2020Q1
Security: 00f30cba-4d23-11ea-86ba-641c67a117d8
Added:
head/graphics/libexif/files/
head/graphics/libexif/files/patch-CVE-2019-9278 (contents, props changed)
head/graphics/libexif/files/patch-chromium-7344-and-14543 (contents, props changed)
head/graphics/libexif/files/patch-chromium-8884 (contents, props changed)
Modified:
head/graphics/libexif/Makefile
Modified: head/graphics/libexif/Makefile
==============================================================================
--- head/graphics/libexif/Makefile Thu Feb 13 22:53:34 2020 (r526070)
+++ head/graphics/libexif/Makefile Thu Feb 13 22:59:12 2020 (r526071)
@@ -3,11 +3,11 @@
PORTNAME= libexif
PORTVERSION= 0.6.21
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= graphics
MASTER_SITES= SF
-MAINTAINER= marius at nuenneri.ch
+MAINTAINER= dbaio at FreeBSD.org
COMMENT= Library to read digital camera file meta-data
LICENSE= LGPL21
Added: head/graphics/libexif/files/patch-CVE-2019-9278
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/libexif/files/patch-CVE-2019-9278 Thu Feb 13 22:59:12 2020 (r526071)
@@ -0,0 +1,86 @@
+https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch
+From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner at suse.de>
+Date: Sat, 18 Jan 2020 09:29:42 +0100
+Subject: [PATCH] fix CVE-2019-9278
+
+avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
+
+check for the actual sizes, which should also handle the overflows
+document other places google patched, but do not seem relevant due to other restrictions
+
+fixes https://github.com/libexif/libexif/issues/26
+---
+ libexif/exif-data.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git libexif/exif-data.c libexif/exif-data.c
+index a6f9c94..6332cd1 100644
+--- libexif/exif-data.c
++++ libexif/exif-data.c
+@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+ doff = offset + 8;
+
+ /* Sanity checks */
+- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++ if (doff >= size) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Tag data past end of buffer (%u > %u)", doff+s, size);
++ "Tag starts past end of buffer (%u > %u)", doff, size);
++ return 0;
++ }
++
++ if (s > size - doff) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
++ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
+ return 0;
+ }
+
+@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ unsigned int ds, ExifLong o, ExifLong s)
+ {
+ /* Sanity checks */
+- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+- "Bogus thumbnail offset (%u) or size (%u).",
+- o, s);
++ if (o >= ds) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
++ return;
++ }
++ if (s > ds - o) {
++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ return;
+ }
+-
+ if (data->data)
+ exif_mem_free (data->priv->mem, data->data);
+ if (!(data->data = exif_data_alloc (data, s))) {
+@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 0 at %i.", (int) offset);
+
+- /* Sanity check the offset, being careful about overflow */
++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ if (offset > ds || offset + 6 + 2 > ds)
+ return;
+
+@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+
+ /* IFD 1 offset */
+ n = exif_get_short (d + 6 + offset, data->priv->order);
++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ if (offset + 6 + 2 + 12 * n + 4 > ds)
+ return;
+
+@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "IFD 1 at %i.", (int) offset);
+
+- /* Sanity check. */
+- if (offset > ds || offset + 6 > ds) {
++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
++ if (offset > ds - 6) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifData", "Bogus offset of IFD1.");
+ } else {
Added: head/graphics/libexif/files/patch-chromium-7344-and-14543
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/libexif/files/patch-chromium-7344-and-14543 Thu Feb 13 22:59:12 2020 (r526071)
@@ -0,0 +1,35 @@
+https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff.patch
+From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan at coneharvesters.com>
+Date: Wed, 4 Jul 2018 11:06:09 +0200
+Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
+
+While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
+the end of a heap buffer. This was detected by the OSS Fuzz project.
+Patch from Google.
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git libexif/exif-entry.c libexif/exif-entry.c
+index 61260d3..a224ac2 100644
+--- libexif/exif-entry.c
++++ libexif/exif-entry.c
+@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ d = 0.;
+ entry = exif_content_get_entry (
+ e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
+- if (entry && entry->data &&
++ if (entry && entry->data && entry->size >= 7 &&
+ !strncmp ((char *)entry->data, "Minolta", 7)) {
+ entry = exif_content_get_entry (
+ e->parent->parent->ifd[EXIF_IFD_0],
+ EXIF_TAG_MODEL);
+- if (entry && entry->data) {
++ if (entry && entry->data && entry->size >= 8) {
+ if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
+ d = 3.9;
+ else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
Added: head/graphics/libexif/files/patch-chromium-8884
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/graphics/libexif/files/patch-chromium-8884 Thu Feb 13 22:59:12 2020 (r526071)
@@ -0,0 +1,24 @@
+https://github.com/libexif/libexif/commit/a0c04d9cb6ab0c41a6458def9f892754e84160a0.patch
+From a0c04d9cb6ab0c41a6458def9f892754e84160a0 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus at jet.franken.de>
+Date: Sat, 15 Jun 2019 18:40:48 +0200
+Subject: [PATCH] fixed a buffer overread (OSS-Fuzz)
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8884
+
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git libexif/olympus/exif-mnote-data-olympus.c libexif/olympus/exif-mnote-data-olympus.c
+index dac7f5b..669e4ec 100644
+--- libexif/olympus/exif-mnote-data-olympus.c
++++ libexif/olympus/exif-mnote-data-olympus.c
+@@ -344,7 +344,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+
+ case nikonV2:
+ o2 += 6;
+- if (o2 >= buf_size) return;
++ if (o2 + 8 >= buf_size) return;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, "
+ "%02x, %02x, %02x, %02x, %02x)...",
More information about the svn-ports-all
mailing list