diff options
author | wangmy <wangmy@fujitsu.com> | 2021-05-18 16:03:32 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-05-22 16:13:38 -0700 |
commit | 29953069d9d9c2868d831492ccec7b171403ac04 (patch) | |
tree | f5ae196e8e72c5b20d43cfa9f6f3c67bc6f89fa6 /meta-oe/recipes-support/exiv2 | |
parent | be0cc5e79b98a9c47f5bb8915f6c411484d0d6f2 (diff) | |
download | meta-openembedded-contrib-29953069d9d9c2868d831492ccec7b171403ac04.tar.gz |
exiv2: Fix CVE-2021-29464
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c9470bdfaa1d33347ffaf25b3e18d2163667e18)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/exiv2')
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch | 72 | ||||
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch new file mode 100644 index 0000000000..f0c482450c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch @@ -0,0 +1,72 @@ +From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001 +From: Wang Mingyu <wangmy@fujitsu.com> +Date: Tue, 18 May 2021 10:52:54 +0900 +Subject: [PATCH] modify + +Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> +--- + src/jp2image.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 52723a4..0ac4f50 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m) + void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) + { + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space +- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? +- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? ++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; +- int32_t length = getLong((byte*)&pBox->length, bigEndian); +- int32_t count = sizeof (Jp2BoxHeader); ++ uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m) + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl; + #endif ++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata); + count += subBox.length; + newBox.type = subBox.type; + } else { +@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m) + count = length; + } + +- int32_t newlen = subBox.length; ++ uint32_t newlen = subBox.length; + if ( newBox.type == kJp2BoxTypeColorHeader ) { + bWroteColor = true ; + if ( ! iccProfileDefined() ) { + const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid"; + uint32_t psize = 15; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize ,bigEndian); + ul2Data((byte*)&newBox.type ,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox)); +@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m) + } else { + const char* pad = "\0x02\x00\x00"; + uint32_t psize = 3; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian); + ul2Data((byte*)&newBox.type,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) ); +@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m) + newlen = psize + iccProfile_.size_; + } + } else { ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length); + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 8c4c81799b..024f4c794a 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -13,6 +13,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat file://CVE-2021-29457.patch \ file://CVE-2021-29458.patch \ file://CVE-2021-29463.patch \ + file://CVE-2021-29464.patch \ file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" |