Hello community, here is the log from the commit of package exiv2 for openSUSE:Leap:15.2 checked in at 2020-04-14 14:20:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/exiv2 (Old) and /work/SRC/openSUSE:Leap:15.2/.exiv2.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "exiv2" Tue Apr 14 14:20:11 2020 rev:23 rq:791638 version:0.26 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/exiv2/exiv2.changes 2020-01-15 14:54:22.745554144 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.exiv2.new.3248/exiv2.changes 2020-04-14 14:20:16.801243092 +0200 @@ -1,0 +2,31 @@ +Tue Mar 24 16:51:29 UTC 2020 - Dirk Mueller <[email protected]> + +- add 0001-Avoid-null-pointer-exception-due-to-NULL-return-valu.patch (bsc#1142684, CVE-2019-13114): + * fixes null-pointer dereference in http.c causing denial of service +- add 0001-IptcData-printStructure-Remove-buffer-overrun.patch (bsc#1088424, CVE-2018-9305): + * fixes an out-of-bounds read in IptcData::printStructure in iptc.c +- add 0001-Fix-SEGV-in-DataValue-Copy.patch (bsc#1109299, CVE-2018-17282): + * fixes null pointer dereference in Exiv2:DataValue:copy in value.cpp +- add 0001-PSD-Use-Safe-add-for-preventing-overflows-in-PSD-fil.patch, + 0002-PSD-enforce-Length-of-image-resource-section-file-si.patch (CVE-2018-19108, bsc#1115364): + * fixes denial of service in Exiv2::PsdImage::readMetadata +- add 0001-Fix-561.-Use-proper-counter-for-the-idx-variable.patch (CVE-2018-19607, bsc#1117513): + * fixes a denial of service (NULL pointer dereference and application crash) + +------------------------------------------------------------------- +Tue Oct 16 16:08:55 UTC 2018 - Dirk Mueller <[email protected]> + +- update to latest 0.26 branch: + * Fixes CVE-2018-12264, CVE-2018-12265 (bsc#1097599) + * Fixes CVE-2017-9239 (bsc#1040973): null pointer dereference in doWriteImage + * Fixes CVE-2018-17229 (bsc#1109175): (Heap buffer overflow in Exiv2::d2Data) + * Fixes CVE-2018-17230 (bsc#1109176): (heap-based buffer overflow in Exiv2::ul2Data) + * Fixes CVE-2017-1000126 (Stack out of bounds read in webp parser) (bsc#1068873) + +------------------------------------------------------------------- +Fri Jun 29 12:20:33 UTC 2018 - [email protected] + +- Fix build on python3 only system by making sure we use + python3 when building + +------------------------------------------------------------------- @@ -21 +51,0 @@ - New: ---- 0001-Avoid-null-pointer-exception-due-to-NULL-return-valu.patch 0001-Fix-561.-Use-proper-counter-for-the-idx-variable.patch 0001-Fix-SEGV-in-DataValue-Copy.patch 0001-IptcData-printStructure-Remove-buffer-overrun.patch 0001-PSD-Use-Safe-add-for-preventing-overflows-in-PSD-fil.patch 0002-PSD-enforce-Length-of-image-resource-section-file-si.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ exiv2.spec ++++++ --- /var/tmp/diff_new_pack.GRD0qx/_old 2020-04-14 14:20:17.537243642 +0200 +++ /var/tmp/diff_new_pack.GRD0qx/_new 2020-04-14 14:20:17.541243645 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,28 +22,33 @@ Summary: Tool to access image Exif metadata License: GPL-2.0-or-later Group: Productivity/Graphics/Other -Url: http://www.exiv2.org/ +URL: http://www.exiv2.org/ Source0: https://github.com/Exiv2/exiv2/archive/v0.26.tar.gz Source1: baselibs.conf Patch1: exiv2-build-date.patch Patch2: parallel-build-dep.patch # git diff --no-merges v0.26..upstream/0.26 Patch3: exiv2-update-to-0.26-branch.patch +Patch4: 0001-Avoid-null-pointer-exception-due-to-NULL-return-valu.patch +Patch5: 0001-IptcData-printStructure-Remove-buffer-overrun.patch +Patch6: 0001-Fix-SEGV-in-DataValue-Copy.patch +Patch7: 0001-PSD-Use-Safe-add-for-preventing-overflows-in-PSD-fil.patch +Patch8: 0002-PSD-enforce-Length-of-image-resource-section-file-si.patch +Patch9: 0001-Fix-561.-Use-proper-counter-for-the-idx-variable.patch BuildRequires: autoconf BuildRequires: cmake BuildRequires: doxygen BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gettext-devel +# doxygen likes to have this +BuildRequires: graphviz BuildRequires: libexpat-devel BuildRequires: libxslt -BuildRequires: pkg-config -BuildRequires: python +BuildRequires: pkgconfig +BuildRequires: python3-base BuildRequires: zlib-devel -# doxygen likes to have this -BuildRequires: graphviz Recommends: %{name}-lang = %{version} -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Exiv2 is a command line utility to access image metadata from tags like @@ -77,52 +82,57 @@ documentation in HTML format. %lang_package + %prep -%setup -q -n %{name}-%{version} +%setup -q %patch1 -p1 %patch2 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 + +# use python3 not env python +sed -i -e 's:#! %{_bindir}/env python:#!%{_bindir}/python3:' doc/templates/gen.py %build -export CXXFLAGS="%optflags $(getconf LFS_CFLAGS)" +export CXXFLAGS="%{optflags} $(getconf LFS_CFLAGS)" %cmake \ -DEXIV2_ENABLE_BUILD_PO:BOOL=ON \ -DEXIV2_ENABLE_BUILD_SAMPLES:BOOL=OFF make %{?_smp_mflags} -make doc +make %{?_smp_mflags} doc %install %cmake_install %find_lang exiv2 %fdupes -s doc/html -rm -f %{buildroot}%{_libdir}/*.la +find %{buildroot} -type f -name "*.la" -delete -print rm -f %{buildroot}%{_libdir}/*.a rm %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm %post -n libexiv2-26 -p /sbin/ldconfig - %postun -n libexiv2-26 -p /sbin/ldconfig %files lang -f exiv2.lang %files -%defattr(-,root,root) %doc doc/ChangeLog doc/cmd.txt %{_bindir}/exiv2 %{_mandir}/man1/* %files -n libexiv2-26 -%defattr(-,root,root) %{_libdir}/libexiv2.so.* %files -n libexiv2-devel -%defattr(-,root,root) %{_includedir}/exiv2 %{_libdir}/libexiv2.so %{_libdir}/pkgconfig/exiv2.pc %files -n libexiv2-doc -%defattr(-,root,root) %doc doc/html %changelog ++++++ 0001-Avoid-null-pointer-exception-due-to-NULL-return-valu.patch ++++++ >From 4930814f688b194dc36b78fa050d97340c98c042 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse <[email protected]> Date: Tue, 30 Apr 2019 11:15:06 +0100 Subject: [PATCH] Avoid null pointer exception due to NULL return value from strchr. This fixes #793. (cherry picked from commit ae20c30805b330275b2aa0303a42e1f2bbd53661) --- src/http.cpp | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/src/http.cpp b/src/http.cpp index 86b7ebb7..d9096a92 100644 --- a/src/http.cpp +++ b/src/http.cpp @@ -345,10 +345,14 @@ int Exiv2::http(Exiv2::Dictionary& request,Exiv2::Dictionary& response,std::stri // search for the body for ( size_t b = 0 ; bSearching && b < lengthof(blankLines) ; b++ ) { - if ( strstr(buffer,blankLines[b]) ) { + const char* blankLinePos = strstr(buffer,blankLines[b]); + if ( blankLinePos ) { bSearching = false ; - body = (int) ( strstr(buffer,blankLines[b]) - buffer ) + strlen(blankLines[b]) ; - status = atoi(strchr(buffer,' ')) ; + body = blankLinePos - buffer + strlen(blankLines[b]); + const char* firstSpace = strchr(buffer,' '); + if (firstSpace) { + status = atoi(firstSpace); + } } } @@ -358,9 +362,19 @@ int Exiv2::http(Exiv2::Dictionary& request,Exiv2::Dictionary& response,std::stri char N = '\n'; int i = 0 ; // initial byte in buffer while(buffer[i] == N ) i++; - h = strchr(h+i,N)+1; + h = strchr(h+i,N); + if (!h) { + status = 0; + break; + } + h++; response[""]=std::string(buffer+i).substr(0,h-buffer-2); - result = atoi(strchr(buffer,' ')); + const char* firstSpace = strchr(buffer,' '); + if ( !firstSpace ) { + status = 0; + break; + } + result = atoi(firstSpace); char* c = strchr(h,C); char* n = strchr(h,N); while ( c && n && c < n && h < buffer+body ) { -- 2.25.1 ++++++ 0001-Fix-561.-Use-proper-counter-for-the-idx-variable.patch ++++++ >From 39343557d154b12479fc69febe2ed6aee3f60173 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <[email protected]> Date: Mon, 26 Nov 2018 14:24:14 +0100 Subject: [PATCH] Fix #561. Use proper counter for the idx variable (cherry picked from commit 6e42c1b55e0fc4f360cc56010b0ffe19aa6062d9) --- src/easyaccess.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/easyaccess.cpp b/src/easyaccess.cpp index cb9ddacf..97570fbc 100644 --- a/src/easyaccess.cpp +++ b/src/easyaccess.cpp @@ -161,7 +161,7 @@ namespace Exiv2 { std::ostringstream os; md_st->write(os, &ed); bool ok = false; - long st_val = parseLong(os.str(), ok); + const long st_val = parseLong(os.str(), ok); // SensivityType out of range or cannot be parsed properly if (!ok || st_val < 1 || st_val > 7) break; @@ -182,7 +182,7 @@ namespace Exiv2 { md = md_st; break; } - while (strcmp(sensKeys->keys[idx++], md_st->key().c_str()) != 0 && idx < cnt) {} + while (strcmp(sensKeys->keys[idx++], md_st->key().c_str()) != 0 && idx < sensKeys->count) {} } break; } -- 2.25.1 ++++++ 0001-Fix-SEGV-in-DataValue-Copy.patch ++++++ >From 43c3eb52b99b7cc48c59a5caa56368fb1b1b1885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <[email protected]> Date: Sat, 13 Oct 2018 10:04:30 +0200 Subject: [PATCH] Fix #457 (cherry picked from commit 670fb73dd5ee8acab90971c4878de29f9fc43a02) --- src/tiffimage.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/tiffimage.cpp b/src/tiffimage.cpp index 415c018f..fd5a4769 100644 --- a/src/tiffimage.cpp +++ b/src/tiffimage.cpp @@ -199,12 +199,16 @@ namespace Exiv2 { // read profile from the metadata Exiv2::ExifKey key("Exif.Image.InterColorProfile"); Exiv2::ExifData::iterator pos = exifData_.findKey(key); - if ( pos != exifData_.end() ) { - iccProfile_.alloc(pos->count()*pos->typeSize()); + if ( pos != exifData_.end() ) { + long size = pos->count() * pos->typeSize(); + if (size == 0) { + throw Error(kerFailedToReadImageData); + } + iccProfile_.alloc(size); pos->copy(iccProfile_.pData_,bo); } - } // TiffImage::readMetadata + } void TiffImage::writeMetadata() { -- 2.25.1 ++++++ 0001-IptcData-printStructure-Remove-buffer-overrun.patch ++++++ >From f9b4f4669e2d181a22235bbd3f108b55542abbb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Fri, 6 Jul 2018 11:39:45 +0200 Subject: [PATCH] [IptcData::printStructure] Remove buffer overrun The loop condition will perform a range check correctly, but it will always dereference bytes[i], even if i is too large and fails the second check. => move the bytes[i] == 0x1c check into a if, after the range check was successfull (cherry picked from commit b2c3b61abcdb8e1a904e7c3f8b9f683c1b0b5668) --- src/iptc.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/iptc.cpp b/src/iptc.cpp index 99f5ee5b..fc3df043 100644 --- a/src/iptc.cpp +++ b/src/iptc.cpp @@ -359,7 +359,10 @@ namespace Exiv2 { while ( i < size-3 && bytes[i] != 0x1c ) i++; depth++; out << Internal::indent(depth) << "Record | DataSet | Name | Length | Data" << std::endl; - while ( bytes[i] == 0x1c && i < size-3 ) { + while ( i < size-3 ) { + if (bytes[i] != 0x1c) { + break; + } char buff[100]; uint16_t record = bytes[i+1]; uint16_t dataset = bytes[i+2]; -- 2.25.1 ++++++ 0001-PSD-Use-Safe-add-for-preventing-overflows-in-PSD-fil.patch ++++++ >From 4e962f9b8ef1e90f1acc309db50207096c9a2a67 Mon Sep 17 00:00:00 2001 From: Luis Diaz Mas <[email protected]> Date: Sun, 4 Nov 2018 22:33:03 +0100 Subject: [PATCH 1/2] PSD: Use Safe::add for preventing overflows in PSD files (cherry picked from commit 68966932510213b5656fcf433ab6d7e26f48e23b) --- src/psdimage.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/psdimage.cpp b/src/psdimage.cpp index 5f721c70..7c5beeff 100644 --- a/src/psdimage.cpp +++ b/src/psdimage.cpp @@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$") #include "basicio.hpp" #include "error.hpp" #include "futils.hpp" +#include "safe_op.hpp" // + standard includes #include <string> @@ -233,7 +234,8 @@ namespace Exiv2 { readResourceBlock(resourceId, resourceSize); resourceSize = (resourceSize + 1) & ~1; // pad to even io_->seek(curOffset + resourceSize, BasicIo::beg); - resourcesLength -= (12 + resourceNameLength + resourceSize); + resourcesLength -= Safe::add(Safe::add(static_cast<uint32_t>(12), resourceNameLength), + resourceSize); } } // PsdImage::readMetadata -- 2.25.1 ++++++ 0002-PSD-enforce-Length-of-image-resource-section-file-si.patch ++++++ >From 4eb0b282dfb2ef14213903bdd7c026a8f732233f Mon Sep 17 00:00:00 2001 From: Luis Diaz Mas <[email protected]> Date: Mon, 5 Nov 2018 13:30:18 +0100 Subject: [PATCH 2/2] PSD: enforce Length of image resource section < file size (cherry picked from commit b7c71f3ad0386cd7af3b73443c0615ada073f0d5) --- src/psdimage.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/psdimage.cpp b/src/psdimage.cpp index 7c5beeff..f7c6ef46 100644 --- a/src/psdimage.cpp +++ b/src/psdimage.cpp @@ -38,7 +38,9 @@ EXIV2_RCSID("@(#) $Id$") #include "basicio.hpp" #include "error.hpp" #include "futils.hpp" + #include "safe_op.hpp" +#include "enforce.hpp" // + standard includes #include <string> @@ -202,6 +204,8 @@ namespace Exiv2 { throw Error(3, "Photoshop"); } uint32_t resourcesLength = getULong(buf, bigEndian); + enforce(resourcesLength < io_->size(), Exiv2::kerCorruptedMetadata); + while (resourcesLength > 0) { if (io_->read(buf, 8) != 8) -- 2.25.1 ++++++ exiv2-update-to-0.26-branch.patch ++++++ ++++ 1505 lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/exiv2/exiv2-update-to-0.26-branch.patch ++++ and /work/SRC/openSUSE:Leap:15.2/.exiv2.new.3248/exiv2-update-to-0.26-branch.patch
