References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464
The heap overflow is triggered when Exiv2 is used to write metadata
into a crafted image file.
An attacker could potentially exploit the vulnerability to gain code
execution, if they can
trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted
[https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
CVE: CVE-2021-29464
Signed-off-by: Wang Mingyu <wan...@fujitsu.com>
---
.../exiv2/exiv2/CVE-2021-29464.patch | 72 +++++++++++++++++++
meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
new file mode 100644
index 000000000..f0c482450
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
@@ -0,0 +1,72 @@
+From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wan...@fujitsu.com>
+Date: Tue, 18 May 2021 10:52:54 +0900
+Subject: [PATCH] modify
+
+Signed-off-by: Wang Mingyu <wan...@fujitsu.com>
+---
+ src/jp2image.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 52723a4..0ac4f50 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m)
+ void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+ {
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate
sufficient space
+- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we
written to output?
+- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we
read from boxBuf?
++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we
written to output?
++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read
from boxBuf?
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+- int32_t length = getLong((byte*)&pBox->length, bigEndian);
+- int32_t count = sizeof (Jp2BoxHeader);
++ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m)
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Jp2Image::encodeJp2Header subbox: "<<
toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+ #endif
++ enforce(subBox.length <= length - count,
Exiv2::kerCorruptedMetadata);
+ count += subBox.length;
+ newBox.type = subBox.type;
+ } else {
+@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m)
+ count = length;
+ }
+
+- int32_t newlen = subBox.length;
++ uint32_t newlen = subBox.length;
+ if ( newBox.type == kJp2BoxTypeColorHeader ) {
+ bWroteColor = true ;
+ if ( ! iccProfileDefined() ) {
+ const char* pad =
"\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
+ uint32_t psize = 15;
++ enforce(newlen <= output.size_ - outlen,
Exiv2::kerCorruptedMetadata);
+ ul2Data((byte*)&newBox.length,psize ,bigEndian);
+ ul2Data((byte*)&newBox.type ,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen
,&newBox ,sizeof(newBox));
+@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m)
+ } else {
+ const char* pad = "\0x02\x00\x00";
+ uint32_t psize = 3;
++ enforce(newlen <= output.size_ - outlen,
Exiv2::kerCorruptedMetadata);
+
ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian);
+ ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
+ ::memcpy(output.pData_+outlen
,&newBox ,sizeof(newBox) );
+@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m)
+ newlen = psize + iccProfile_.size_;
+ }
+ } else {
++ enforce(newlen <= output.size_ - outlen,
Exiv2::kerCorruptedMetadata);
+
::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
+ }
+
+--
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 8c4c81799..024f4c794 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -13,6 +13,7 @@ SRC_URI +=
"file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
file://CVE-2021-29457.patch \
file://CVE-2021-29458.patch \
file://CVE-2021-29463.patch \
+ file://CVE-2021-29464.patch \
file://CVE-2021-3482.patch"
S = "${WORKDIR}/${BPN}-${PV}-Source"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#91387):
https://lists.openembedded.org/g/openembedded-devel/message/91387
Mute This Topic: https://lists.openembedded.org/mt/82906949/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
