exiv2: Fix CVE-2021-3482

References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482 Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data. Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da] CVE: CVE-2021-3482 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9e7c2c9713dc2824af2a33b0a3feb4f29e7f0269) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: wangmy <wangmy@fujitsu.com> 2021-05-18 16:03:31 +0800
committer: Armin Kuster <akuster808@gmail.com> 2021-05-22 15:34:46 -0700
commit: d3f0f8957f7ab59375f25d504fa233d71b1871c6 (patch)
tree: d21d5db5fe63e583b6accc0d1227578b662c9407
parent: 0e8fcf0e774e17ea72785d5d95356bc6ee9133ee (diff)
download: meta-openembedded-d3f0f8957f7ab59375f25d504fa233d71b1871c6.tar.gz
2 files changed, 56 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
new file mode 100644
index 0000000000..e7c5e1b656
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
@@ -0,0 +1,54 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index eb31cea4a..88ab9b2d6 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -28,6 +28,7 @@
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
+                             if (io_->error()) throw Error(kerFailedToReadImageData);
+                             if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
+ 
+-                            if (rawData.size_ > 0)
+                            if (rawData.size_ > 8) // "II*\0long"
+                             {
+                                 // Find the position of Exif header in bytes array.
+                                 long pos = (     (rawData.pData_[0]      == rawData.pData_[1])
+@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
+                 position   = io_->tell();
+                 box.length = getLong((byte*)&box.length, bigEndian);
+                 box.type = getLong((byte*)&box.type, bigEndian);
+                enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
+ 
+                 if (bPrint) {
+                     out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
+@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
+                                 throw Error(kerInputDataReadFailed);
+ 
+                             if (bPrint) {
+-                                out << Internal::binaryToString(makeSlice(rawData, 0, 40));
+                                out << Internal::binaryToString(
+                                        makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
+                                 out.flush();
+                             }
+                             lf(out, bLF);
+ 
+-                            if (bIsExif && bRecursive && rawData.size_ > 0) {
+                            if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
+                                 if ((rawData.pData_[0] == rawData.pData_[1]) &&
+                                     (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
+                                     BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index fb8d126198..8c4c81799b 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -12,7 +12,8 @@ inherit dos2unix
 SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
            file://CVE-2021-29457.patch \
            file://CVE-2021-29458.patch \
-            file://CVE-2021-29463.patch"
+            file://CVE-2021-29463.patch \
+            file://CVE-2021-3482.patch"
 S = "${WORKDIR}/${BPN}-${PV}-Source"
author	wangmy <wangmy@fujitsu.com>	2021-05-18 16:03:31 +0800
committer	Armin Kuster <akuster808@gmail.com>	2021-05-22 15:34:46 -0700
commit	d3f0f8957f7ab59375f25d504fa233d71b1871c6 (patch)
tree	d21d5db5fe63e583b6accc0d1227578b662c9407
parent	0e8fcf0e774e17ea72785d5d95356bc6ee9133ee (diff)
download	meta-openembedded-d3f0f8957f7ab59375f25d504fa233d71b1871c6.tar.gz

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch new file mode 100644 index 0000000000..e7c5e1b656 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch
@@ -0,0 +1,54 @@
		1	From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
		2	From: Robin Mills <robin@clanmills.com>
		3	Date: Mon, 5 Apr 2021 20:33:25 +0100
		4	Subject: [PATCH] fix_1522_jp2image_exif_asan
		5
		6	---
		7	src/jp2image.cpp \| 9 ++++++---
		8	1 file changed, 6 insertions(+), 3 deletions(-)
		9
		10	diff --git a/src/jp2image.cpp b/src/jp2image.cpp
		11	index eb31cea4a..88ab9b2d6 100644
		12	--- a/src/jp2image.cpp
		13	+++ b/src/jp2image.cpp
		14	@@ -28,6 +28,7 @@
		15	#include "image.hpp"
		16	#include "image_int.hpp"
		17	#include "basicio.hpp"
		18	+#include "enforce.hpp"
		19	#include "error.hpp"
		20	#include "futils.hpp"
		21	#include "types.hpp"
		22	@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
		23	if (io_->error()) throw Error(kerFailedToReadImageData);
		24	if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
		25
		26	- if (rawData.size_ > 0)
		27	+ if (rawData.size_ > 8) // "II*\0long"
		28	{
		29	// Find the position of Exif header in bytes array.
		30	long pos = ( (rawData.pData_[0] == rawData.pData_[1])
		31	@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
		32	position = io_->tell();
		33	box.length = getLong((byte*)&box.length, bigEndian);
		34	box.type = getLong((byte*)&box.type, bigEndian);
		35	+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
		36
		37	if (bPrint) {
		38	out << Internal::stringFormat("%8ld \| %8ld \| ", (size_t)(position - sizeof(box)),
		39	@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
		40	throw Error(kerInputDataReadFailed);
		41
		42	if (bPrint) {
		43	- out << Internal::binaryToString(makeSlice(rawData, 0, 40));
		44	+ out << Internal::binaryToString(
		45	+ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
		46	out.flush();
		47	}
		48	lf(out, bLF);
		49
		50	- if (bIsExif && bRecursive && rawData.size_ > 0) {
		51	+ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
		52	if ((rawData.pData_[0] == rawData.pData_[1]) &&
		53	(rawData.pData_[0] == 'I' \|\| rawData.pData_[0] == 'M')) {
		54	BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));


diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index fb8d126198..8c4c81799b 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -12,7 +12,8 @@ inherit dos2unix
12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \	12	SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
13	file://CVE-2021-29457.patch \	13	file://CVE-2021-29457.patch \
14	file://CVE-2021-29458.patch \	14	file://CVE-2021-29458.patch \
15	file://CVE-2021-29463.patch"	15	file://CVE-2021-29463.patch \
		16	file://CVE-2021-3482.patch"
16		17
17	S = "${WORKDIR}/${BPN}-${PV}-Source"	18	S = "${WORKDIR}/${BPN}-${PV}-Source"
18		19