[gentoo-commits] repo/gentoo:master commit in: media-libs/libexif/, media-libs/libexif/files/
commit: 619cb215c093a8c9ddce658eeccdd779335e052b Author: John Helmert III posteo net> AuthorDate: Wed Jul 8 18:54:17 2020 + Commit: Sam James gentoo org> CommitDate: Thu Jul 16 00:16:19 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=619cb215 media-libs/libexif: Security cleanup (drop <0.6.22) Bugs: https://bugs.gentoo.org/708728 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16639 Signed-off-by: Sam James gentoo.org> media-libs/libexif/Manifest| 1 - .../files/libexif-0.6.21-CVE-2017-7544.patch | 30 -- .../files/libexif-0.6.21-CVE-2018-20030.patch | 117 - ...ibexif-0.6.21-fix-C89-compatibility-issue.patch | 30 -- media-libs/libexif/libexif-0.6.21-r3.ebuild| 52 - 5 files changed, 230 deletions(-) diff --git a/media-libs/libexif/Manifest b/media-libs/libexif/Manifest index 01957043eef..52a1e78a856 100644 --- a/media-libs/libexif/Manifest +++ b/media-libs/libexif/Manifest @@ -1,2 +1 @@ -DIST libexif-0.6.21.tar.bz2 1368435 BLAKE2B 151e3ddcdd45759fd70be91db27511f48a9b7d5de72c8af510e5a231e2f053f8b5d62d1269a1206e419461b07fb723788492604f1f1142edcb5ab7a0876dd307 SHA512 4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35 DIST libexif-0.6.22.tar.gz 2741296 BLAKE2B df57aa0ff7d20faa47ea34f4d8164c33b113887bc2179405481b2c12c0d0336dc9e5321a260ffda64d974bfa9ac6af55c0cfb4cc9a57a941c17944a3d049befd SHA512 e399804c9d67072861988638349115c585546be20f15c4d26bb6f411ff4ee5bce979c1a41305c1456ecc2f830837349f93cfa4136b7a864e0486cecd3607b469 diff --git a/media-libs/libexif/files/libexif-0.6.21-CVE-2017-7544.patch b/media-libs/libexif/files/libexif-0.6.21-CVE-2017-7544.patch deleted file mode 100644 index 534817417d8..000 --- a/media-libs/libexif/files/libexif-0.6.21-CVE-2017-7544.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c39acd1692023b26290778a02a9232c873f9d71a Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Tue, 25 Jul 2017 23:38:56 +0200 -Subject: [PATCH] On saving makernotes, make sure the makernote container tags - has a type with 1 byte components. - -Fixes (at least): - https://sourceforge.net/p/libexif/bugs/130 - https://sourceforge.net/p/libexif/bugs/129 - libexif/exif-data.c | 6 ++ - 1 file changed, 6 insertions(+) - -diff --git a/libexif/exif-data.c b/libexif/exif-data.c -index 67df4db..91f4c33 100644 a/libexif/exif-data.c -+++ b/libexif/exif-data.c -@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, - exif_mnote_data_set_offset (data->priv->md, *ds - 6); - exif_mnote_data_save (data->priv->md, >data, >size); - e->components = e->size; -+ if (exif_format_get_size (e->format) != 1) { -+ /* e->format is taken from input code, -+ * but we need to make sure it is a 1 byte -+ * entity due to the multiplication below. */ -+ e->format = EXIF_FORMAT_UNDEFINED; -+ } - } - } - diff --git a/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch b/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch deleted file mode 100644 index 08179f84b50..000 --- a/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 -From: Dan Fandrich -Date: Fri, 12 Oct 2018 16:01:45 +0200 -Subject: [PATCH] Improve deep recursion detection in - exif_data_load_data_content. - -The existing detection was still vulnerable to pathological cases -causing DoS by wasting CPU. The new algorithm takes the number of tags -into account to make it harder to abuse by cases using shallow recursion -but with a very large number of tags. This improves on commit 5d28011c -which wasn't sufficient to counter this kind of case. - -The limitation in the previous fix was discovered by Laurent Delosieres, -Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned -the identifier CVE-2018-20030. - -Adjusted for missing https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a - - libexif/exif-data.c | 45 + - 2 files changed, 38 insertions(+), 8 deletions(-) - -diff --git a/libexif/exif-data.c b/libexif/exif-data.c -index e35403d..a6f9c94 100644 a/libexif/exif-data.c -+++ b/libexif/exif-data.c -@@ -35,6 +35,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ - break; \ - } -
[gentoo-commits] repo/gentoo:master commit in: media-libs/libexif/, media-libs/libexif/files/
commit: bcce9fb0f933198672777469411dd4774bb39ba3 Author: Thomas Deutschmann gentoo org> AuthorDate: Mon Mar 4 18:18:27 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Mon Mar 4 18:18:46 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcce9fb0 media-libs/libexif: rev bump to fix CVE-2018-20030 While here, fix C89 compatibility issue, too. Bug: https://bugs.gentoo.org/679418 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann gentoo.org> .../files/libexif-0.6.21-CVE-2018-20030.patch | 117 + ...ibexif-0.6.21-fix-C89-compatibility-issue.patch | 30 ++ media-libs/libexif/libexif-0.6.21-r3.ebuild| 52 + 3 files changed, 199 insertions(+) diff --git a/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch b/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch new file mode 100644 index 000..08179f84b50 --- /dev/null +++ b/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch @@ -0,0 +1,117 @@ +From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: [PATCH] Improve deep recursion detection in + exif_data_load_data_content. + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. + +Adjusted for missing https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a + +--- + libexif/exif-data.c | 45 + + 2 files changed, 38 insertions(+), 8 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index e35403d..a6f9c94 100644 +--- a/libexif/exif-data.c b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, +const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +-"Deep recursion detected!"); ++"Deep/expensive recursion detected!"); +