Hello community, here is the log from the commit of package libexif for openSUSE:Leap:15.2 checked in at 2020-03-02 17:21:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libexif (Old) and /work/SRC/openSUSE:Leap:15.2/.libexif.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libexif" Mon Mar 2 17:21:28 2020 rev:17 rq:779880 version:0.6.21 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libexif/libexif.changes 2020-01-15 15:20:35.862415056 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libexif.new.26092/libexif.changes 2020-03-02 17:21:30.554082090 +0100 @@ -1,0 +2,8 @@ +Fri Jan 31 14:54:39 UTC 2020 - Marcus Meissner <[email protected]> + +- libexif-CVE-2019-9278.patch: fixed an integer overflow on large + file handling (bsc#1160770 CVE-2019-9278) +- libexif-CVE-2018-20030.patch: Fixed a denial of service by endless + recursion (bsc#1120943 CVE-2018-20030) + +------------------------------------------------------------------- New: ---- libexif-CVE-2018-20030.patch libexif-CVE-2019-9278.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libexif.spec ++++++ --- /var/tmp/diff_new_pack.ZLZ4id/_old 2020-03-02 17:21:31.198083331 +0100 +++ /var/tmp/diff_new_pack.ZLZ4id/_new 2020-03-02 17:21:31.202083339 +0100 @@ -29,6 +29,8 @@ Patch0: libexif-build-date.patch Patch1: CVE-2016-6328.patch Patch2: CVE-2017-7544.patch +Patch3: libexif-CVE-2018-20030.patch +Patch4: libexif-CVE-2019-9278.patch BuildRequires: doxygen BuildRequires: pkg-config @@ -65,6 +67,8 @@ %patch0 -p1 %patch1 -p1 %patch2 -p0 +%patch3 -p1 +%patch4 -p1 %build export CFLAGS="%optflags $(getconf LFS_CFLAGS)" ++++++ libexif-CVE-2018-20030.patch ++++++ commit 6aa11df549114ebda520dde4cdaea2f9357b2c89 Author: Dan Fandrich <[email protected]> Date: Fri Oct 12 16:01:45 2018 +0200 Improve deep recursion detection in exif_data_load_data_content. The existing detection was still vulnerable to pathological cases causing DoS by wasting CPU. The new algorithm takes the number of tags into account to make it harder to abuse by cases using shallow recursion but with a very large number of tags. This improves on commit 5d28011c which wasn't sufficient to counter this kind of case. The limitation in the previous fix was discovered by Laurent Delosieres, Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned the identifier CVE-2018-20030. Index: libexif-0.6.21/libexif/exif-data.c =================================================================== --- libexif-0.6.21.orig/libexif/exif-data.c +++ libexif-0.6.21/libexif/exif-data.c @@ -35,6 +35,7 @@ #include <libexif/olympus/exif-mnote-data-olympus.h> #include <libexif/pentax/exif-mnote-data-pentax.h> +#include <math.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ break; \ } +/*! Calculate the recursion cost added by one level of IFD loading. + * + * The work performed is related to the cost in the exponential relation + * work=1.1**cost + */ +static unsigned int +level_cost(unsigned int n) +{ + static const double log_1_1 = 0.09531017980432493; + + /* Adding 0.1 protects against the case where n==1 */ + return ceil(log(n + 0.1)/log_1_1); +} + /*! Load data for an IFD. * * \param[in,out] data #ExifData @@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ * \param[in] d pointer to buffer containing raw IFD data * \param[in] ds size of raw data in buffer at \c d * \param[in] offset offset into buffer at \c d at which IFD starts - * \param[in] recursion_depth number of times this function has been - * recursively called without returning + * \param[in] recursion_cost factor indicating how expensive this recursive + * call could be */ static void exif_data_load_data_content (ExifData *data, ExifIfd ifd, const unsigned char *d, - unsigned int ds, unsigned int offset, unsigned int recursion_depth) + unsigned int ds, unsigned int offset, unsigned int recursion_cost) { ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; ExifShort n; @@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *d if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) return; - if (recursion_depth > 30) { + if (recursion_cost > 170) { + /* + * recursion_cost is a logarithmic-scale indicator of how expensive this + * recursive call might end up being. It is an indicator of the depth of + * recursion as well as the potential for worst-case future recursive + * calls. Since it's difficult to tell ahead of time how often recursion + * will occur, this assumes the worst by assuming every tag could end up + * causing recursion. + * The value of 170 was chosen to limit typical EXIF structures to a + * recursive depth of about 6, but pathological ones (those with very + * many tags) to only 2. + */ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", - "Deep recursion detected!"); + "Deep/expensive recursion detected!"); return; } @@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *d switch (tag) { case EXIF_TAG_EXIF_IFD_POINTER: CHECK_REC (EXIF_IFD_EXIF); - exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); + exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, + recursion_cost + level_cost(n)); break; case EXIF_TAG_GPS_INFO_IFD_POINTER: CHECK_REC (EXIF_IFD_GPS); - exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); + exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, + recursion_cost + level_cost(n)); break; case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: CHECK_REC (EXIF_IFD_INTEROPERABILITY); - exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); + exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, + recursion_cost + level_cost(n)); break; case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: thumbnail_offset = o; ++++++ libexif-CVE-2019-9278.patch ++++++ commit 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Author: Marcus Meissner <[email protected]> Date: Sat Jan 18 09:29:42 2020 +0100 fix CVE-2019-9278 avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) check for the actual sizes, which should also handle the overflows document other places google patched, but do not seem relevant due to other restrictions fixes https://github.com/libexif/libexif/issues/26 diff --git a/libexif/exif-data.c b/libexif/exif-data.c index a6f9c94..6332cd1 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, doff = offset + 8; /* Sanity checks */ - if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { + if (doff >= size) { exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Tag data past end of buffer (%u > %u)", doff+s, size); + "Tag starts past end of buffer (%u > %u)", doff, size); + return 0; + } + + if (s > size - doff) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Tag data goes past end of buffer (%u > %u)", doff+s, size); return 0; } @@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, unsigned int ds, ExifLong o, ExifLong s) { /* Sanity checks */ - if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Bogus thumbnail offset (%u) or size (%u).", - o, s); + if (o >= ds) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); + return; + } + if (s > ds - o) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); return; } - if (data->data) exif_mem_free (data->priv->mem, data->data); if (!(data->data = exif_data_alloc (data, s))) { @@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "IFD 0 at %i.", (int) offset); - /* Sanity check the offset, being careful about overflow */ + /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ if (offset > ds || offset + 6 + 2 > ds) return; @@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, /* IFD 1 offset */ n = exif_get_short (d + 6 + offset, data->priv->order); + /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ if (offset + 6 + 2 + 12 * n + 4 > ds) return; @@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "IFD 1 at %i.", (int) offset); - /* Sanity check. */ - if (offset > ds || offset + 6 > ds) { + /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ + if (offset > ds - 6) { exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", "Bogus offset of IFD1."); } else {
