Package: exif Severity: wishlist I have prepared an update for exif package to address two null pointer issues, changes have been submitted as an MR on salsa, also see the debdiff in attachement.
Regards, Aron Xu
diff -Nru exif-0.6.22/debian/changelog exif-0.6.22/debian/changelog --- exif-0.6.22/debian/changelog 2020-07-09 10:58:17.000000000 +0000 +++ exif-0.6.22/debian/changelog 2022-08-31 07:35:27.000000000 +0000 @@ -1,3 +1,11 @@ +exif (0.6.22-3) unstable; urgency=medium + + * Add patch for NULL Pointer Deference when printing out XML formatted + EXIF data (CVE-2021-27815) + * Add patch for NullPointer in strncpy() in Action.c + + -- Aron Xu <a...@debian.org> Wed, 31 Aug 2022 07:35:27 +0000 + exif (0.6.22-2) unstable; urgency=medium * Add upstream patch to fix test failures on big endian systems diff -Nru exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch --- exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch 1970-01-01 00:00:00.000000000 +0000 +++ exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch 2022-08-31 07:26:54.000000000 +0000 @@ -0,0 +1,27 @@ +From f6334d9d32437ef13dc902f0a88a2be0063d9d1c Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <mar...@jet.franken.de> +Date: Thu, 25 Feb 2021 08:31:53 +0100 +Subject: [PATCH 01/25] added empty strign check, which would lead to NULL ptr + deref/crash in exif XML display. fixes + https://github.com/libexif/exif/issues/4 + +--- + exif/actions.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/exif/actions.c b/exif/actions.c +index ed245df..123c064 100644 +--- a/exif/actions.c ++++ b/exif/actions.c +@@ -661,6 +661,8 @@ escape_xml(const char *text) + char *out; + size_t len; + ++ if (!strlen(text)) return "empty string"; ++ + for (out=escaped, len=0; *text; ++len, ++out, ++text) { + /* Make sure there's plenty of room for a quoted character */ + if ((len + 8) > escaped_size) { +-- +2.30.2 + diff -Nru exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch --- exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch 1970-01-01 00:00:00.000000000 +0000 +++ exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch 2022-08-31 07:27:02.000000000 +0000 @@ -0,0 +1,26 @@ +From eb84b0e3c5f2a86013b6fcfb800d187896a648fa Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <mar...@jet.franken.de> +Date: Thu, 25 Feb 2021 09:45:36 +0100 +Subject: [PATCH 02/25] actually return empty stringand not 'em,pty string' as + expected + +--- + exif/actions.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/exif/actions.c b/exif/actions.c +index 123c064..4fade01 100644 +--- a/exif/actions.c ++++ b/exif/actions.c +@@ -661,7 +661,7 @@ escape_xml(const char *text) + char *out; + size_t len; + +- if (!strlen(text)) return "empty string"; ++ if (!strlen(text)) return ""; + + for (out=escaped, len=0; *text; ++len, ++out, ++text) { + /* Make sure there's plenty of room for a quoted character */ +-- +2.30.2 + diff -Nru exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch --- exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch 1970-01-01 00:00:00.000000000 +0000 +++ exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch 2022-08-31 07:28:52.000000000 +0000 @@ -0,0 +1,31 @@ +From a702ad911f7c9824979a6534d87dfb1ec9928533 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <mar...@jet.franken.de> +Date: Wed, 18 Aug 2021 14:53:24 +0200 +Subject: [PATCH 20/25] avoid NULL ptr crash fixes + https://github.com/libexif/exif/issues/5 + +--- + exif/actions.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/exif/actions.c b/exif/actions.c +index 4fade01..d7ab870 100644 +--- a/exif/actions.c ++++ b/exif/actions.c +@@ -715,7 +715,12 @@ show_entry_xml (ExifEntry *e, void *data) + fprintf (stdout, "%s", escape_xml(exif_entry_get_value (e, v, sizeof (v)))); + fprintf (stdout, "</x%04x>", e->tag); + } else { +- strncpy (t, exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)), sizeof (t)); ++ const char *title = exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)); ++ if (!title) { ++ /* might just be an unknown tag */ ++ return; ++ } ++ strncpy (t, title, sizeof (t)); + t[sizeof(t)-1] = 0; + + /* Remove invalid characters from tag eg. (, ), space */ +-- +2.30.2 + diff -Nru exif-0.6.22/debian/patches/series exif-0.6.22/debian/patches/series --- exif-0.6.22/debian/patches/series 2020-07-09 10:58:17.000000000 +0000 +++ exif-0.6.22/debian/patches/series 2022-08-31 07:34:04.000000000 +0000 @@ -1 +1,4 @@ unsigned-types.patch +0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch +0002-actually-return-empty-stringand-not-em-pty-string-as.patch +0003-avoid-NULL-ptr-crash.patch
signature.asc
Description: PGP signature
