References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457
The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22] CVE: CVE-2021-29457 Signed-off-by: Wang Mingyu <wan...@fujitsu.com> --- .../exiv2/exiv2/CVE-2021-29457.patch | 26 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch new file mode 100644 index 000000000..e5d069487 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera <pyd...@mailbox.org> +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 88ab9b2d6..12025f966 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) + #endif + box.length = (uint32_t) (io_->size() - io_->tell() + 8); + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index ed1e8de5c..a13db42ed 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either inherit dos2unix -SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch" +SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ + file://CVE-2021-29457.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#91384): https://lists.openembedded.org/g/openembedded-devel/message/91384 Mute This Topic: https://lists.openembedded.org/mt/82906937/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
