From 4119376d66f2016dd60e5da6b36d90894b6a74f4 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 26 Oct 2017 22:58:28 +0200 Subject: gnu: exiv2: Add upstream security fixes. Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864. * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch, gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/image.scm (exiv2)[source]: Use them. --- .../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch (limited to 'gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch') diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch new file mode 100644 index 0000000000..69e65aeb6b --- /dev/null +++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch @@ -0,0 +1,66 @@ +Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 + +Copied from upstream: + +https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 + +From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Sat, 7 Oct 2017 23:08:36 +0200 +Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 + +The invalid memory dereference in +Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() +is caused further up the call-stack, by +v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() +passing an invalid pData pointer (pData points outside of the Tiff +file). pData can be set out of bounds in the (size > 4) branch where +baseOffset() and offset are added to pData_ without checking whether +the result is still in the file. As offset comes from an untrusted +source, an attacker can craft an arbitrarily large offset into the +file. + +This commit adds a check into the problematic branch, whether the +result of the addition would be out of bounds of the Tiff +file. Furthermore the whole operation is checked for possible +overflows. +--- + src/tiffvisitor.cpp | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp +index 4ab733d4..ef13542e 100644 +--- a/src/tiffvisitor.cpp ++++ b/src/tiffvisitor.cpp +@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") + #include + #include + #include ++#include + + // ***************************************************************************** + namespace { +@@ -1517,7 +1518,19 @@ namespace Exiv2 { + size = 0; + } + if (size > 4) { ++ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, ++ // as offset can be arbitrarily large ++ if ((static_cast(baseOffset()) > std::numeric_limits::max() - static_cast(offset)) ++ || (static_cast(baseOffset() + offset) > std::numeric_limits::max() - reinterpret_cast(pData_))) ++ { ++ throw Error(59); ++ } ++ if (pData_ + static_cast(baseOffset()) + static_cast(offset) > pLast_) { ++ throw Error(58); ++ } + pData = const_cast(pData_) + baseOffset() + offset; ++ ++ // check for size being invalid + if (size > static_cast(pLast_ - pData)) { + #ifndef SUPPRESS_WARNINGS + EXV_ERROR << "Upper boundary of data for " -- cgit v1.2.3