exiv2: Fix CVE-2021-29463

References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29463 The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b] CVE: CVE-2021-29463 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8e63ac6c86852a12408c2415be073c71420758ff) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: wangmy <wangmy@fujitsu.com> 2021-05-18 16:03:30 +0800
committer: Armin Kuster <akuster808@gmail.com> 2021-05-22 15:34:46 -0700
commit: 0e8fcf0e774e17ea72785d5d95356bc6ee9133ee (patch)
tree: 93eb6fce27498d16fb27959d77cfbd2a6bd626bd
parent: 8355be5c641d18df607c0b1eec9129f15d318220 (diff)
download: meta-openembedded-0e8fcf0e774e17ea72785d5d95356bc6ee9133ee.tar.gz
2 files changed, 122 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
new file mode 100644
index 0000000000..5ab64a7d3e
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
+From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 19 Apr 2021 18:06:00 +0100
+Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
+---
+ src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+diff --git a/src/webpimage.cpp b/src/webpimage.cpp
+index 4ddec544c..fee110bca 100644
+--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
+@@ -145,7 +145,7 @@ namespace Exiv2 {
+         DataBuf chunkId(WEBP_TAG_SIZE+1);
+         chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
+ 
+-        io_->read(data, WEBP_TAG_SIZE * 3);
+        readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
+         uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
+ 
+         /* Set up header */
+@@ -185,13 +185,20 @@ namespace Exiv2 {
+          case we have any exif or xmp data, also check
+          for any chunks with alpha frame/layer set */
+         while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+-            io_->read(chunkId.pData_, WEBP_TAG_SIZE);
+-            io_->read(size_buff, WEBP_TAG_SIZE);
+-            long size = Exiv2::getULong(size_buff, littleEndian);
+            readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
+            readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
+            const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+
+            // Check that `size_u32` is safe to cast to `long`.
+            enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
+                    Exiv2::kerCorruptedMetadata);
+            const long size = static_cast<long>(size_u32);
+             DataBuf payload(size);
+-            io_->read(payload.pData_, payload.size_);
+-            byte c;
+-            if ( payload.size_ % 2 ) io_->read(&c,1);
+            readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
+            if ( payload.size_ % 2 ) {
+              byte c;
+              readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
+            }
+ 
+             /* Chunk with information about features
+              used in the file. */
+@@ -199,6 +206,7 @@ namespace Exiv2 {
+                 has_vp8x = true;
+             }
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
+                enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+                 has_size = true;
+                 byte size_buf[WEBP_TAG_SIZE];
+ 
+@@ -227,6 +235,7 @@ namespace Exiv2 {
+             }
+ #endif
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
+                enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+                 has_size = true;
+                 byte size_buf[2];
+ 
+@@ -244,11 +253,13 @@ namespace Exiv2 {
+ 
+             /* Chunk with with lossless image data. */
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
+                enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+                 if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
+                     has_alpha = true;
+                 }
+             }
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
+                enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+                 has_size = true;
+                 byte size_buf_w[2];
+                 byte size_buf_h[3];
+@@ -276,11 +287,13 @@ namespace Exiv2 {
+ 
+             /* Chunk with animation frame. */
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
+                enforce(size >= 6, Exiv2::kerCorruptedMetadata);
+                 if ((payload.pData_[5] & 0x2) == 0x2) {
+                     has_alpha = true;
+                 }
+             }
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
+                enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+                 has_size = true;
+                 byte size_buf[WEBP_TAG_SIZE];
+ 
+@@ -309,16 +322,22 @@ namespace Exiv2 {
+ 
+         io_->seek(12, BasicIo::beg);
+         while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
+-            io_->read(chunkId.pData_, 4);
+-            io_->read(size_buff, 4);
+            readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
+            readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
+
+            const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
+ 
+-            long size = Exiv2::getULong(size_buff, littleEndian);
+            // Check that `size_u32` is safe to cast to `long`.
+            enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
+                    Exiv2::kerCorruptedMetadata);
+            const long size = static_cast<long>(size_u32);
+ 
+             DataBuf payload(size);
+-            io_->read(payload.pData_, size);
+            readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
+             if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
+ 
+             if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
+                enforce(size >= 1, Exiv2::kerCorruptedMetadata);
+                 if (has_icc){
+                     payload.pData_[0] |= WEBP_VP8X_ICC_BIT;
+                 } else {
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 1dc909eeb0..fb8d126198 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
 inherit dos2unix
 SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
            file://CVE-2021-29457.patch \
-            file://CVE-2021-29458.patch"
+            file://CVE-2021-29458.patch \
+            file://CVE-2021-29463.patch"
 S = "${WORKDIR}/${BPN}-${PV}-Source"
author	wangmy <wangmy@fujitsu.com>	2021-05-18 16:03:30 +0800
committer	Armin Kuster <akuster808@gmail.com>	2021-05-22 15:34:46 -0700
commit	0e8fcf0e774e17ea72785d5d95356bc6ee9133ee (patch)
tree	93eb6fce27498d16fb27959d77cfbd2a6bd626bd
parent	8355be5c641d18df607c0b1eec9129f15d318220 (diff)
download	meta-openembedded-0e8fcf0e774e17ea72785d5d95356bc6ee9133ee.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch new file mode 100644 index 0000000000..5ab64a7d3e --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch
@@ -0,0 +1,120 @@
		1	From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001
		2	From: Kevin Backhouse <kevinbackhouse@github.com>
		3	Date: Mon, 19 Apr 2021 18:06:00 +0100
		4	Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata()
		5
		6	---
		7	src/webpimage.cpp \| 41 ++++++++++++++++++++++++++++++-----------
		8	1 file changed, 30 insertions(+), 11 deletions(-)
		9
		10	diff --git a/src/webpimage.cpp b/src/webpimage.cpp
		11	index 4ddec544c..fee110bca 100644
		12	--- a/src/webpimage.cpp
		13	+++ b/src/webpimage.cpp
		14	@@ -145,7 +145,7 @@ namespace Exiv2 {
		15	DataBuf chunkId(WEBP_TAG_SIZE+1);
		16	chunkId.pData_ [WEBP_TAG_SIZE] = '\0';
		17
		18	- io_->read(data, WEBP_TAG_SIZE * 3);
		19	+ readOrThrow(io_, data, WEBP_TAG_SIZE 3, Exiv2::kerCorruptedMetadata);
		20	uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian);
		21
		22	/* Set up header */
		23	@@ -185,13 +185,20 @@ namespace Exiv2 {
		24	case we have any exif or xmp data, also check
		25	for any chunks with alpha frame/layer set */
		26	while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
		27	- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
		28	- io_->read(size_buff, WEBP_TAG_SIZE);
		29	- long size = Exiv2::getULong(size_buff, littleEndian);
		30	+ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
		31	+ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
		32	+ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
		33	+
		34	+ // Check that `size_u32` is safe to cast to `long`.
		35	+ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
		36	+ Exiv2::kerCorruptedMetadata);
		37	+ const long size = static_cast<long>(size_u32);
		38	DataBuf payload(size);
		39	- io_->read(payload.pData_, payload.size_);
		40	- byte c;
		41	- if ( payload.size_ % 2 ) io_->read(&c,1);
		42	+ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
		43	+ if ( payload.size_ % 2 ) {
		44	+ byte c;
		45	+ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata);
		46	+ }
		47
		48	/* Chunk with information about features
		49	used in the file. */
		50	@@ -199,6 +206,7 @@ namespace Exiv2 {
		51	has_vp8x = true;
		52	}
		53	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) {
		54	+ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
		55	has_size = true;
		56	byte size_buf[WEBP_TAG_SIZE];
		57
		58	@@ -227,6 +235,7 @@ namespace Exiv2 {
		59	}
		60	#endif
		61	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) {
		62	+ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
		63	has_size = true;
		64	byte size_buf[2];
		65
		66	@@ -244,11 +253,13 @@ namespace Exiv2 {
		67
		68	/* Chunk with with lossless image data. */
		69	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) {
		70	+ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
		71	if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) {
		72	has_alpha = true;
		73	}
		74	}
		75	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) {
		76	+ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
		77	has_size = true;
		78	byte size_buf_w[2];
		79	byte size_buf_h[3];
		80	@@ -276,11 +287,13 @@ namespace Exiv2 {
		81
		82	/* Chunk with animation frame. */
		83	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) {
		84	+ enforce(size >= 6, Exiv2::kerCorruptedMetadata);
		85	if ((payload.pData_[5] & 0x2) == 0x2) {
		86	has_alpha = true;
		87	}
		88	}
		89	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) {
		90	+ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
		91	has_size = true;
		92	byte size_buf[WEBP_TAG_SIZE];
		93
		94	@@ -309,16 +322,22 @@ namespace Exiv2 {
		95
		96	io_->seek(12, BasicIo::beg);
		97	while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
		98	- io_->read(chunkId.pData_, 4);
		99	- io_->read(size_buff, 4);
		100	+ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata);
		101	+ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata);
		102	+
		103	+ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
		104
		105	- long size = Exiv2::getULong(size_buff, littleEndian);
		106	+ // Check that `size_u32` is safe to cast to `long`.
		107	+ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
		108	+ Exiv2::kerCorruptedMetadata);
		109	+ const long size = static_cast<long>(size_u32);
		110
		111	DataBuf payload(size);
		112	- io_->read(payload.pData_, size);
		113	+ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata);
		114	if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad
		115
		116	if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) {
		117	+ enforce(size >= 1, Exiv2::kerCorruptedMetadata);
		118	if (has_icc){
		119	payload.pData_[0] \|= WEBP_VP8X_ICC_BIT;
		120	} else {


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 1dc909eeb0..fb8d126198 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -11,7 +11,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
11	inherit dos2unix	11	inherit dos2unix
12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \	12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
13	file://CVE-2021-29457.patch \	13	file://CVE-2021-29457.patch \
14	file://CVE-2021-29458.patch"	14	file://CVE-2021-29458.patch \
		15	file://CVE-2021-29463.patch"
15		16
16	S = "${WORKDIR}/${BPN}-${PV}-Source"	17	S = "${WORKDIR}/${BPN}-${PV}-Source"
17		18