Details: https://nvd.nist.gov/vuln/detail/CVE-2021-37619
Pick the patch from the PR referenced by the NVD advisory. Note that the regression test is not part of this patch, as no patchtool could apply it in do_patch task. The test patch was however manually applied during preparing this patch, and all tests were executed successfully. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../exiv2/exiv2/CVE-2021-37619.patch | 37 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch new file mode 100644 index 0000000000..9faf778743 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-37619.patch @@ -0,0 +1,37 @@ +From 0b74e631713d328a5f2bd1d9d26baf2e12b9da56 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <[email protected]> +Date: Wed, 30 Jun 2021 18:02:43 +0100 +Subject: [PATCH] fix: fix incorrect loop condition (#1752) + +* Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v + +* Fix incorrect loop condition. + +CVE: CVE-2021-37619 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/86d0a1d5d9f6dc41013a6690408add974e59167c] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/jp2image.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 2da69f1..482ef63 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -658,12 +658,14 @@ static void boxes_check(size_t b,size_t m) + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +- while ( count < length || !bWroteColor ) { ++ while ( count < length && !bWroteColor ) { + enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +- Jp2BoxHeader subBox = *pSubBox ; ++ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. ++ Jp2BoxHeader subBox; ++ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); + Jp2BoxHeader newBox = subBox; + + if ( count < length ) { diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 3d41bc93b2..e7eac337dc 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source file://CVE-2021-37615-1.patch \ file://CVE-2021-37615-2.patch \ file://CVE-2021-37618.patch \ + file://CVE-2021-37619.patch \ " SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124786): https://lists.openembedded.org/g/openembedded-devel/message/124786 Mute This Topic: https://lists.openembedded.org/mt/118066403/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
