Control: tags 918730 + patch Control: tags 918730 + pending
Dear maintainer, I've prepared an NMU for libexif (versioned as 0.6.21-5.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. This should make it possible to still reach buster in time. Regards, Salvatore
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog --- libexif-0.6.21/debian/changelog 2018-04-03 14:53:18.000000000 +0200 +++ libexif-0.6.21/debian/changelog 2019-02-10 14:59:33.000000000 +0100 @@ -1,3 +1,12 @@ +libexif (0.6.21-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Reduce maximum recursion depth in exif_data_load_data_content + * Improve deep recursion detection in exif_data_load_data_content + (CVE-2018-20030) (Closes: #918730) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 10 Feb 2019 14:59:33 +0100 + libexif (0.6.21-5) unstable; urgency=medium * Team upload. diff -Nru libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch --- libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch 1970-01-01 01:00:00.000000000 +0100 +++ libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch 2019-02-10 14:59:33.000000000 +0100 @@ -0,0 +1,116 @@ +From: Dan Fandrich <d...@coneharvesters.com> +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: Improve deep recursion detection in exif_data_load_data_content. +Origin: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030 +Bug-Debian: https://bugs.debian.org/918730 + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. +--- + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index e35403ddba7c..a6f9c94f2fc2 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include <libexif/olympus/exif-mnote-data-olympus.h> + #include <libexif/pentax/exif-mnote-data-pentax.h> + ++#include <math.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++ static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, + const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 12) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Deep recursion detected!"); ++ "Deep/expensive recursion detected!"); + return; + } + +@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + switch (tag) { + case EXIF_TAG_EXIF_IFD_POINTER: + CHECK_REC (EXIF_IFD_EXIF); +- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_GPS_INFO_IFD_POINTER: + CHECK_REC (EXIF_IFD_GPS); +- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: + CHECK_REC (EXIF_IFD_INTEROPERABILITY); +- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + thumbnail_offset = o; +-- +2.20.1 + diff -Nru libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch --- libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch 1970-01-01 01:00:00.000000000 +0100 +++ libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch 2019-02-10 14:59:33.000000000 +0100 @@ -0,0 +1,28 @@ +From: Dan Fandrich <d...@coneharvesters.com> +Date: Fri, 20 Apr 2018 18:05:19 +0200 +Subject: Reduce maximum recursion depth in exif_data_load_data_content +Origin: https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a + +This only needs to be a small, single digit integer for normal files, +and reducing the maximum closer to this reduces the time and space +needed to detect pathological cases. +--- + libexif/exif-data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 91f4c33593ad..04cdda256c3d 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -378,7 +378,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_depth > 12) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", + "Deep recursion detected!"); + return; +-- +2.20.1 + diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series --- libexif-0.6.21/debian/patches/series 2018-04-02 14:34:24.000000000 +0200 +++ libexif-0.6.21/debian/patches/series 2019-02-10 14:59:33.000000000 +0100 @@ -5,3 +5,5 @@ cve-2016-6328.patch cve-2017-7544.patch fix-size_t-warnings.patch +Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch +Improve-deep-recursion-detection-in-exif_data_load_d.patch