From d3f0f8957f7ab59375f25d504fa233d71b1871c6 Mon Sep 17 00:00:00 2001 From: wangmy Date: Tue, 18 May 2021 16:03:31 +0800 Subject: exiv2: Fix CVE-2021-3482 References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482 Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da] CVE: CVE-2021-3482 Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 9e7c2c9713dc2824af2a33b0a3feb4f29e7f0269) Signed-off-by: Armin Kuster --- .../exiv2/exiv2/CVE-2021-3482.patch | 54 ++++++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch new file mode 100644 index 0000000000..e7c5e1b656 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch @@ -0,0 +1,54 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index eb31cea4a..88ab9b2d6 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -28,6 +28,7 @@ + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) + if (io_->error()) throw Error(kerFailedToReadImageData); + if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if (bPrint) { + out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), +@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) + throw Error(kerInputDataReadFailed); + + if (bPrint) { +- out << Internal::binaryToString(makeSlice(rawData, 0, 40)); ++ out << Internal::binaryToString( ++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); + out.flush(); + } + lf(out, bLF); + +- if (bIsExif && bRecursive && rawData.size_ > 0) { ++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" + if ((rawData.pData_[0] == rawData.pData_[1]) && + (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { + BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index fb8d126198..8c4c81799b 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -12,7 +12,8 @@ inherit dos2unix SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ file://CVE-2021-29457.patch \ file://CVE-2021-29458.patch \ - file://CVE-2021-29463.patch" + file://CVE-2021-29463.patch \ + file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" -- cgit 1.2.3-korg