Submitted By: Ken Moffat Date: 2020-11-21 Initial Package Version: 0.6.22 Upstream Status: Applied Origin: Found at fedora Description: Fixes CVE-2020-0181, -0198, -0452. The first two are merely DOS, the last is an oob write on integer oveflow which could possibly be exploited for remote code execution or disclosure of sensitive information. From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 8 Jun 2020 17:27:06 +0200 Subject: [PATCH] fixed another unsigned integer overflow first fixed by google in android fork, https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 (use a more generic overflow check method, also check second overflow instance.) https://security-tracker.debian.org/tracker/CVE-2020-0198 --- libexif/exif-data.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libexif/exif-data.c b/libexif/exif-data.c index 8b280d3..b495726 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -47,6 +47,8 @@ #undef JPEG_MARKER_APP1 #define JPEG_MARKER_APP1 0xe1 +#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) + static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; struct _ExifDataPrivate @@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); return; } - if (s > ds - o) { + if (CHECKOVERFLOW(o,ds,s)) { exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); return; } @@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, } /* Read the number of entries */ - if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { + if (CHECKOVERFLOW(offset, ds, 2)) { exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", - "Tag data past end of buffer (%u > %u)", offset+2, ds); + "Tag data past end of buffer (%u+2 > %u)", offset, ds); return; } n = exif_get_short (d + offset, data->priv->order); @@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, offset += 2; /* Check if we have enough data. */ - if (offset + 12 * n > ds) { + if (CHECKOVERFLOW(offset, ds, 12*n)) { n = (ds - offset) / 12; exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Short data; only loading %hu entries...", n); From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 5 Nov 2020 09:50:08 +0100 Subject: [PATCH] fixed a incorrect overflow check that could be optimized away. inspired by: https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b https://source.android.com/security/bulletin/2020-11-01 CVE-2020-0452 --- NEWS | 3 ++- libexif/exif-entry.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c index 3fc0ff9..4b866ce 100644 --- a/libexif/exif-entry.c +++ b/libexif/exif-entry.c @@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) { unsigned char *utf16; - /* Sanity check the size to prevent overflow */ - if (e->size+sizeof(uint16_t)+1 < e->size) break; + /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */ + if (e->size >= 65536 - sizeof(uint16_t)*2) break; /* The tag may not be U+0000-terminated , so make a local U+0000-terminated copy before converting it */