[OE-core] [PATCH][dunfell 2/2] libexif: fix CVE-2020-13114

Lee Chee Yang Wed, 27 May 2020 02:47:24 -0700

From: Lee Chee Yang <chee.yang....@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
---
 .../libexif/libexif/CVE-2020-13114.patch           | 73 ++++++++++++++++++++++
 meta/recipes-support/libexif/libexif_0.6.21.bb     |  4 +-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libexif/libexif/CVE-2020-13114.patch


diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch 
b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000..06b8b46
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <d...@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+
+ subtags.
+
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks.  This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+
+Patch from Google.
+
+CVE-2020-13114
+
+Upstream-Status: Backport 
[https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang....@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c 
b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+       ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+       ExifShort c;
+       size_t i, tcount, o, datao;
++      long failsafe_size = 0;
+ 
+       if (!n || !buf || !buf_size) {
+               exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+                       memcpy (n->entries[tcount].data, buf + dataofs, s);
+               }
+ 
++              /* Track the size of decoded tag data. A malicious file could
++               * be crafted to cause extremely large values here without
++               * tripping any buffer range checks.  This is especially bad
++               * with the libexif representation of Canon MakerNotes because
++               * some arrays are turned into individual tags that the
++               * application must loop around. */
++              failsafe_size += 
mnote_canon_entry_count_values(&n->entries[tcount]);
++
++              if (failsafe_size > FAILSAFE_SIZE_MAX) {
++                      /* Abort if the total size of the data in the tags 
extraordinarily large, */
++                      exif_mem_free (ne->mem, n->entries[tcount].data);
++                      exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++                                        "ExifMnoteCanon", "Failsafe tag size 
overflow (%lu > %ld)",
++                                        failsafe_size, FAILSAFE_SIZE_MAX);
++                      break;
++              }
++
+               /* Tag was successfully parsed */
+               ++tcount;
+       }
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb 
b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847bea..3f6fa32 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
            file://CVE-2017-7544.patch \
            file://CVE-2016-6328.patch \
-           file://CVE-2018-20030.patch"
+           file://CVE-2018-20030.patch \
+           file://CVE-2020-13114.patch \
+"
 
 SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
 SRC_URI[sha256sum] = 
"16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
-- 
2.7.4

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#138769): 
https://lists.openembedded.org/g/openembedded-core/message/138769
Mute This Topic: https://lists.openembedded.org/mt/74496556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH][dunfell 2/2] libexif: fix CVE-2020-13114

Reply via email to