aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwangmy <wangmy@fujitsu.com>2021-05-18 16:03:30 +0800
committerArmin Kuster <akuster808@gmail.com>2021-05-22 15:34:46 -0700
commit0e8fcf0e774e17ea72785d5d95356bc6ee9133ee (patch)
tree93eb6fce27498d16fb27959d77cfbd2a6bd626bd
parent8355be5c641d18df607c0b1eec9129f15d318220 (diff)
downloadmeta-openembedded-0e8fcf0e774e17ea72785d5d95356bc6ee9133ee.tar.gz
exiv2: Fix CVE-2021-29463
References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463 The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b] CVE: CVE-2021-29463 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8e63ac6c86852a12408c2415be073c71420758ff) Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch120
-rw-r--r--meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb3
2 files changed, 122 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
new file mode 100644
index 0000000000..5ab64a7d3e
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
+From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 19 Apr 2021 18:06:00 +0100
+Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
+
+---
+ src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 4ddec544c..fee110bca 100644
+--- a/src/webpimage.cpp
++++ b/src/webpimage.cpp
+@@ -145,7 +145,7 @@ namespace Exiv2 {
+ DataBuf chunkId(WEBP_TAG_SIZE+1);
+ chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
+
+- io_->read(data, WEBP_TAG_SIZE * 3);
++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
+ uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
+
+ /* Set up header */
+@@ -185,13 +185,20 @@ namespace Exiv2 {
+ case we have any exif or xmp data, also check
+ for any chunks with alpha frame/layer set */
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
+- io_->read(size_buff, WEBP_TAG_SIZE);
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
++
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+ DataBuf payload(size);
+- io_->read(payload.pData_, payload.size_);
+- byte c;
+- if ( payload.size_ % 2 ) io_->read(&c,1);
++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
++ if ( payload.size_ % 2 ) {
++ byte c;
++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
++ }
+
+ /* Chunk with information about features
+ used in the file. */
+@@ -199,6 +206,7 @@ namespace Exiv2 {
+ has_vp8x = true;
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -227,6 +235,7 @@ namespace Exiv2 {
+ }
+ #endif
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
++ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[2];
+
+@@ -244,11 +253,13 @@ namespace Exiv2 {
+
+ /* Chunk with with lossless image data. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
++ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf_w[2];
+ byte size_buf_h[3];
+@@ -276,11 +287,13 @@ namespace Exiv2 {
+
+ /* Chunk with animation frame. */
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
++ enforce(size >= 6, Exiv2::kerCorruptedMetadata);
+ if ((payload.pData_[5] & 0x2) == 0x2) {
+ has_alpha = true;
+ }
+ }
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
++ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+ has_size = true;
+ byte size_buf[WEBP_TAG_SIZE];
+
+@@ -309,16 +322,22 @@ namespace Exiv2 {
+
+ io_->seek(12, BasicIo::beg);
+ while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+- io_->read(chunkId.pData_, 4);
+- io_->read(size_buff, 4);
++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
++
++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+
+- long size = Exiv2::getULong(size_buff, littleEndian);
++ // Check that `size_u32` is safe to cast to `long`.
++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
++ Exiv2::kerCorruptedMetadata);
++ const long size = static_cast<long>(size_u32);
+
+ DataBuf payload(size);
+- io_->read(payload.pData_, size);
++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
+ if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
+
+ if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
++ enforce(size >= 1, Exiv2::kerCorruptedMetadata);
+ if (has_icc){
+ payload.pData_[0] |= WEBP_VP8X_ICC_BIT;
+ } else {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 1dc909eeb0..fb8d126198 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
inherit dos2unix
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
- file://CVE-2021-29458.patch"
+ file://CVE-2021-29458.patch \
+ file://CVE-2021-29463.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"