--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked
as "no DSA".
The attached debdiff fixes these vulnerabilities.
CVE-2020-12767 - division-by-zero errors
CVE-2020-0093 - read buffer overflow
CVE-2018-20030 - denial of service by wasting CPU
CVE-2017-7544 - out-of-bounds heap read
CVE-2016-6328 - integer overflow
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-02 07:54:38.000000000 +1100
+++ libexif-0.6.21/debian/changelog 2020-05-19 18:41:18.000000000 +1000
@@ -1,3 +1,19 @@
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+ * Team upload.
+ * Add upstream patches to fix multiple security issues:
+ - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+ entry data of the input file (CVE-2016-6328) (Closes: #873022).
+ - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+ exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+ - cve-2018-20030.patch: Improve deep recursion detection in the function
+ exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+ - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+ in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+ - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster <[email protected]> Tue, 19 May 2020 19:40:10 +1000
+
libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch
libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch 1970-01-01
10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch 2020-05-19
18:36:53.000000000 +1000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of
the input file (CVE-2016-6328)
+Author: Marcus Meissner <[email protected]>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ case EXIF_FORMAT_SHORT:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 2)
++ break;
+ vs = exif_get_short (data, entry->order);
+ snprintf (val+len, maxlen-len, "%i ", vs);
+ len = strlen(val);
+ data += 2;
++ sizeleft -= 2;
+ }
+ }
+ break;
+ case EXIF_FORMAT_LONG:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 4)
++ break;
+ vl = exif_get_long (data, entry->order);
+ snprintf (val+len, maxlen-len, "%li", (long
int) vl);
+ len = strlen(val);
+ data += 4;
++ sizeleft -= 4;
+ }
+ }
+ break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ break;
+ }
+
+- return (val);
++ return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch
libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch 1970-01-01
10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2017-7544.patch 2020-05-19
18:39:10.000000000 +1000
@@ -0,0 +1,22 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry
function (CVE-2017-7544)
+Author: Marcus Meissner <[email protected]>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+ exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ exif_mnote_data_save (data->priv->md, &e->data,
&e->size);
+ e->components = e->size;
++ if (exif_format_get_size (e->format) != 1) {
++ /* e->format is taken from input code,
++ * but we need to make sure it is a 1 byte
++ * entity due to the multiplication below. */
++ e->format = EXIF_FORMAT_UNDEFINED;
++ }
+ }
+ }
+
diff -Nru libexif-0.6.21/debian/patches/cve-2018-20030.patch
libexif-0.6.21/debian/patches/cve-2018-20030.patch
--- libexif-0.6.21/debian/patches/cve-2018-20030.patch 1970-01-01
10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2018-20030.patch 2020-05-19
18:39:20.000000000 +1000
@@ -0,0 +1,111 @@
+From: Dan Fandrich <[email protected]>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: Improve deep recursion detection in exif_data_load_data_content.
+Origin:
https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030
+Bug-Debian: https://bugs.debian.org/918730
+
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags. This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+---
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+
++#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -344,6 +345,20 @@
+ break; \
+ }
+
++/*! Calculate the recursion cost added by one level of IFD loading.
++ *
++ * The work performed is related to the cost in the exponential relation
++ * work=1.1**cost
++ */
++static unsigned int
++level_cost(unsigned int n)
++{
++ static const double log_1_1 = 0.09531017980432493;
++
++ /* Adding 0.1 protects against the case where n==1 */
++ return ceil(log(n + 0.1)/log_1_1);
++}
++
+ /*! Load data for an IFD.
+ *
+ * \param[in,out] data #ExifData
+@@ -351,13 +366,13 @@
+ * \param[in] d pointer to buffer containing raw IFD data
+ * \param[in] ds size of raw data in buffer at \c d
+ * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
++ * \param[in] recursion_cost factor indicating how expensive this recursive
++ * call could be
+ */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ const unsigned char *d,
+- unsigned int ds, unsigned int offset, unsigned int
recursion_depth)
++ unsigned int ds, unsigned int offset, unsigned int
recursion_cost)
+ {
+ ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ ExifShort n;
+@@ -372,9 +387,20 @@
+ if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+ return;
+
+- if (recursion_depth > 30) {
++ if (recursion_cost > 170) {
++ /*
++ * recursion_cost is a logarithmic-scale indicator of how
expensive this
++ * recursive call might end up being. It is an indicator of the
depth of
++ * recursion as well as the potential for worst-case future
recursive
++ * calls. Since it's difficult to tell ahead of time how often
recursion
++ * will occur, this assumes the worst by assuming every tag
could end up
++ * causing recursion.
++ * The value of 170 was chosen to limit typical EXIF structures
to a
++ * recursive depth of about 6, but pathological ones (those
with very
++ * many tags) to only 2.
++ */
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifData",
+- "Deep recursion detected!");
++ "Deep/expensive recursion detected!");
+ return;
+ }
+
+@@ -416,15 +442,18 @@
+ switch (tag) {
+ case EXIF_TAG_EXIF_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_EXIF);
+- exif_data_load_data_content (data,
EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data,
EXIF_IFD_EXIF, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_GPS);
+- exif_data_load_data_content (data,
EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data,
EXIF_IFD_GPS, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+- exif_data_load_data_content (data,
EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data,
EXIF_IFD_INTEROPERABILITY, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ thumbnail_offset = o;
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch
libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch 1970-01-01
10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch 2020-05-19
18:39:22.000000000 +1000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer
size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <[email protected]>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ /* Write the data. Fill unneeded bytes with 0. Do not crash with
+ * e->data is NULL */
+ if (e->data) {
+- memcpy (*d + 6 + doff, e->data, s);
++ unsigned int len = s;
++ if (e->size < s) len = e->size;
++ memcpy (*d + 6 + doff, e->data, len);
+ } else {
+ memset (*d + 6 + doff, 0, s);
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch
libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch 1970-01-01
10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch 2020-05-19
18:39:29.000000000 +1000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in
exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <[email protected]>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ break;
+ }
+ d = (double) v_rat.numerator / (double) v_rat.denominator;
+- if (d < 1)
++ if (d < 1 && d)
+ snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ else
+ snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ }
+ d = (double) v_srat.numerator / (double) v_srat.denominator;
+ snprintf (val, maxlen, _("%.02f EV"), d);
+- d = 1. / pow (2, d);
+- if (d < 1)
++ if (pow (2, d))
++ d = 1. / pow (2, d);
++ if (d < 1 && d)
+ snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ else
+ snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/series
libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series 2020-02-02 07:54:38.000000000
+1100
+++ libexif-0.6.21/debian/patches/series 2020-05-19 18:39:29.000000000
+1000
@@ -1,3 +1,8 @@
+cve-2020-12767.patch
+cve-2020-0093.patch
+cve-2018-20030.patch
+cve-2017-7544.patch
+cve-2016-6328.patch
pkg_config_header_dir
extra_colorspace_check
fix-CVE-2019-9278.patch
--- End Message ---
