References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
Improper input validation of the rawData.size property in
Jp2Image::readMetadata() in jp2image.cpp
can lead to a heap-based buffer overflow via a crafted JPG image
containing malicious EXIF data.
Upstream-Status: Accepted
[https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da]
CVE: CVE-2021-3482
Signed-off-by: Wang Mingyu <wan...@fujitsu.com>
---
.../exiv2/exiv2/CVE-2021-3482.patch | 54 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 3 +-
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
new file mode 100644
index 000000000..e7c5e1b65
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
@@ -0,0 +1,54 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <ro...@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index eb31cea4a..88ab9b2d6 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -28,6 +28,7 @@
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
++#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
+ if (io_->error()) throw
Error(kerFailedToReadImageData);
+ if (bufRead != rawData.size_) throw
Error(kerInputDataReadFailed);
+
+- if (rawData.size_ > 0)
++ if (rawData.size_ > 8) // "II*\0long"
+ {
+ // Find the position of Exif header in bytes
array.
+ long pos = ( (rawData.pData_[0] ==
rawData.pData_[1])
+@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
++ enforce(box.length <= io_->size()-io_->tell() ,
Exiv2::kerCorruptedMetadata);
+
+ if (bPrint) {
+ out << Internal::stringFormat("%8ld | %8ld | ",
(size_t)(position - sizeof(box)),
+@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
+ throw Error(kerInputDataReadFailed);
+
+ if (bPrint) {
+- out <<
Internal::binaryToString(makeSlice(rawData, 0, 40));
++ out << Internal::binaryToString(
++ makeSlice(rawData, 0,
rawData.size_>40?40:rawData.size_));
+ out.flush();
+ }
+ lf(out, bLF);
+
+- if (bIsExif && bRecursive && rawData.size_ > 0) {
++ if (bIsExif && bRecursive && rawData.size_ > 8) {
// "II*\0long"
+ if ((rawData.pData_[0] == rawData.pData_[1])
&&
+ (rawData.pData_[0] == 'I' ||
rawData.pData_[0] == 'M')) {
+ BasicIo::AutoPtr p = BasicIo::AutoPtr(new
MemIo(rawData.pData_, rawData.size_));
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index fb8d12619..8c4c81799 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -12,7 +12,8 @@ inherit dos2unix
SRC_URI +=
"file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
- file://CVE-2021-29463.patch"
+ file://CVE-2021-29463.patch \
+ file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#91386):
https://lists.openembedded.org/g/openembedded-devel/message/91386
Mute This Topic: https://lists.openembedded.org/mt/82906948/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
