Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked as "no DSA". The attached debdiff fixes these vulnerabilities. CVE-2020-12767 - division-by-zero errors CVE-2020-0093 - read buffer overflow CVE-2018-20030 - denial of service by wasting CPU CVE-2017-7544 - out-of-bounds heap read CVE-2016-6328 - integer overflow -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog --- libexif-0.6.21/debian/changelog 2020-02-02 07:54:38.000000000 +1100 +++ libexif-0.6.21/debian/changelog 2020-05-19 18:41:18.000000000 +1000 @@ -1,3 +1,19 @@ +libexif (0.6.21-2+deb9u2) stretch; urgency=medium + + * Team upload. + * Add upstream patches to fix multiple security issues: + - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE + entry data of the input file (CVE-2016-6328) (Closes: #873022). + - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function + exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466). + - cve-2018-20030.patch: Improve deep recursion detection in the function + exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730). + - cve-2020-12767.patch: Prevent some possible division-by-zero errors + in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199). + - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093). + + -- Hugh McMaster <hugh.mcmas...@outlook.com> Tue, 19 May 2020 19:40:10 +1000 + libexif (0.6.21-2+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch libexif-0.6.21/debian/patches/cve-2016-6328.patch --- libexif-0.6.21/debian/patches/cve-2016-6328.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2016-6328.patch 2020-05-19 18:36:53.000000000 +1000 @@ -0,0 +1,53 @@ +Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328) +Author: Marcus Meissner <mar...@jet.franken.de> +Bug-Debian: http://bugs.debian.org/873022 +Last-Update: 2017-07-25 + +Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c +=================================================================== +--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c ++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c +@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta + case EXIF_FORMAT_SHORT: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; k<entry->components; k++) { ++ if (sizeleft < 2) ++ break; + vs = exif_get_short (data, entry->order); + snprintf (val+len, maxlen-len, "%i ", vs); + len = strlen(val); + data += 2; ++ sizeleft -= 2; + } + } + break; + case EXIF_FORMAT_LONG: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; k<entry->components; k++) { ++ if (sizeleft < 4) ++ break; + vl = exif_get_long (data, entry->order); + snprintf (val+len, maxlen-len, "%li", (long int) vl); + len = strlen(val); + data += 4; ++ sizeleft -= 4; + } + } + break; +@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta + break; + } + +- return (val); ++ return val; + } diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch libexif-0.6.21/debian/patches/cve-2017-7544.patch --- libexif-0.6.21/debian/patches/cve-2017-7544.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2017-7544.patch 2020-05-19 18:39:10.000000000 +1000 @@ -0,0 +1,22 @@ +Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544) +Author: Marcus Meissner <mar...@jet.franken.de> +Bug-Debian: http://bugs.debian.org/876466 +Last-Update: 2017-07-04 + +Index: libexif-0.6.21/libexif/exif-data.c +=================================================================== +--- libexif-0.6.21.orig/libexif/exif-data.c ++++ libexif-0.6.21/libexif/exif-data.c +@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat + exif_mnote_data_set_offset (data->priv->md, *ds - 6); + exif_mnote_data_save (data->priv->md, &e->data, &e->size); + e->components = e->size; ++ if (exif_format_get_size (e->format) != 1) { ++ /* e->format is taken from input code, ++ * but we need to make sure it is a 1 byte ++ * entity due to the multiplication below. */ ++ e->format = EXIF_FORMAT_UNDEFINED; ++ } + } + } + diff -Nru libexif-0.6.21/debian/patches/cve-2018-20030.patch libexif-0.6.21/debian/patches/cve-2018-20030.patch --- libexif-0.6.21/debian/patches/cve-2018-20030.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2018-20030.patch 2020-05-19 18:39:20.000000000 +1000 @@ -0,0 +1,111 @@ +From: Dan Fandrich <d...@coneharvesters.com> +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: Improve deep recursion detection in exif_data_load_data_content. +Origin: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030 +Bug-Debian: https://bugs.debian.org/918730 + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. +--- + +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include <libexif/olympus/exif-mnote-data-olympus.h> + #include <libexif/pentax/exif-mnote-data-pentax.h> + ++#include <math.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +@@ -344,6 +345,20 @@ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++ static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -351,13 +366,13 @@ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, + const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -372,9 +387,20 @@ + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Deep recursion detected!"); ++ "Deep/expensive recursion detected!"); + return; + } + +@@ -416,15 +442,18 @@ + switch (tag) { + case EXIF_TAG_EXIF_IFD_POINTER: + CHECK_REC (EXIF_IFD_EXIF); +- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_GPS_INFO_IFD_POINTER: + CHECK_REC (EXIF_IFD_GPS); +- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: + CHECK_REC (EXIF_IFD_INTEROPERABILITY); +- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + thumbnail_offset = o; diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch --- libexif-0.6.21/debian/patches/cve-2020-0093.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2020-0093.patch 2020-05-19 18:39:22.000000000 +1000 @@ -0,0 +1,24 @@ +Description: Fix read buffer overflow (CVE-2020-0093) + Ensure the number of bytes being copied does not exceed the source buffer size. +Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133 +Author: Marcus Meissner <mar...@jet.franken.de> +Bug: https://github.com/libexif/libexif/issues/42 +Last-Update: 2020-05-17 + +--- + libexif/exif-data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -295,7 +295,9 @@ + /* Write the data. Fill unneeded bytes with 0. Do not crash with + * e->data is NULL */ + if (e->data) { +- memcpy (*d + 6 + doff, e->data, s); ++ unsigned int len = s; ++ if (e->size < s) len = e->size; ++ memcpy (*d + 6 + doff, e->data, len); + } else { + memset (*d + 6 + doff, 0, s); + } diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch --- libexif-0.6.21/debian/patches/cve-2020-12767.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2020-12767.patch 2020-05-19 18:39:29.000000000 +1000 @@ -0,0 +1,34 @@ +Description: Prevent some possible division-by-zero errors in exif_entry_get_value() +Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72 +Author: orangesnn <52818007+orange...@users.noreply.github.com> +Bug: https://github.com/libexif/libexif/issues/31 +Bug-Debian: https://bugs.debian.org/960199 +Last-Update: 2020-05-13 + +--- + libexif/exif-entry.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/libexif/exif-entry.c ++++ b/libexif/exif-entry.c +@@ -1085,7 +1085,7 @@ + break; + } + d = (double) v_rat.numerator / (double) v_rat.denominator; +- if (d < 1) ++ if (d < 1 && d) + snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d)); + else + snprintf (val, maxlen, "%i", (int) d); +@@ -1102,8 +1102,9 @@ + } + d = (double) v_srat.numerator / (double) v_srat.denominator; + snprintf (val, maxlen, _("%.02f EV"), d); +- d = 1. / pow (2, d); +- if (d < 1) ++ if (pow (2, d)) ++ d = 1. / pow (2, d); ++ if (d < 1 && d) + snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d)); + else + snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d); diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series --- libexif-0.6.21/debian/patches/series 2020-02-02 07:54:38.000000000 +1100 +++ libexif-0.6.21/debian/patches/series 2020-05-19 18:39:29.000000000 +1000 @@ -1,3 +1,8 @@ +cve-2020-12767.patch +cve-2020-0093.patch +cve-2018-20030.patch +cve-2017-7544.patch +cve-2016-6328.patch pkg_config_header_dir extra_colorspace_check fix-CVE-2019-9278.patch
