diff options
author | wangmy <wangmy@fujitsu.com> | 2021-05-18 16:08:00 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-05-22 16:13:38 -0700 |
commit | a3a0e023193ee465f8a4d408339352c85a20e80d (patch) | |
tree | 80a4405eee487a7f1f90ce8e316c1d71dba82846 | |
parent | 8ac16502753b72fd1df1d88d5773ab5077d868b8 (diff) | |
download | meta-openembedded-contrib-a3a0e023193ee465f8a4d408339352c85a20e80d.tar.gz |
exiv2: Fix CVE-2021-29473
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29473
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1587/commits/e6a0982f7cd9282052b6e3485a458d60629ffa0b]
CVE: CVE-2021-29473
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit a9aecd2c32fc8f238f62ef70813e032b6b52c2f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch | 21 | ||||
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 |
2 files changed, 22 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch new file mode 100644 index 0000000000..4afedf8e59 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch @@ -0,0 +1,21 @@ +From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 23 Apr 2021 11:44:44 +0100 +Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata(). + +--- + src/jp2image.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 1694fed27..ca8c9ddbb 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m) + + case kJp2BoxTypeUuid: + { ++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata); + if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0) + { + #ifdef EXIV2_DEBUG_MESSAGES diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 2419bab352..d5d9e62ff2 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -15,6 +15,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat file://CVE-2021-29463.patch \ file://CVE-2021-29464.patch \ file://CVE-2021-29470.patch \ + file://CVE-2021-29473.patch \ file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" |