From 6a6d8fb8ca8008e5c253be82351be57a6e42095f Mon Sep 17 00:00:00 2001 From: linker Date: Thu, 29 Apr 2021 11:16:06 +0800 Subject: [PATCH] fix CVE-2021-29457 CVE-2021-29458 --- backport-CVE-2021-29457.patch | 29 +++++++++++++++++++++++++++++ backport-CVE-2021-29458.patch | 29 +++++++++++++++++++++++++++++ exiv2.spec | 10 +++++++++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-29457.patch create mode 100644 backport-CVE-2021-29458.patch diff --git a/backport-CVE-2021-29457.patch b/backport-CVE-2021-29457.patch new file mode 100644 index 0000000..b99190e --- /dev/null +++ b/backport-CVE-2021-29457.patch @@ -0,0 +1,29 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b21f7f1..917d115 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -756,9 +756,10 @@ namespace Exiv2 + #endif + box.length = io_->size() - io_->tell() + 8; + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). +-- +2.23.0 + diff --git a/backport-CVE-2021-29458.patch b/backport-CVE-2021-29458.patch new file mode 100644 index 0000000..5c30fd3 --- /dev/null +++ b/backport-CVE-2021-29458.patch @@ -0,0 +1,29 @@ +From c98d372b48adc6de859dc04e2e0c33441cfe136c Mon Sep 17 00:00:00 2001 +From: Pydera +Date: Thu, 8 Apr 2021 17:11:38 +0200 +Subject: [PATCH] Fix out of buffer access in #1530 + +--- + src/crwimage_int.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/crwimage.cpp b/src/crwimage.cpp +index a44a67e2c..9155e0042 100644 +--- a/src/crwimage.cpp ++++ b/src/crwimage.cpp +@@ -1186,11 +1186,13 @@ namespace Exiv2 { + CiffComponent* cc = pHead->findComponent(pCrwMapping->crwTagId_, + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { +- uint32_t size = 28; ++ size_t size = 28; + if (cc && cc->size() > size) size = cc->size(); + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); +- if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); ++ if (cc && cc->size() > 8) { ++ std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); ++ } + if (edX != edEnd && edX->size() == 4) { + edX->copy(buf.pData_, pHead->byteOrder()); + } diff --git a/exiv2.spec b/exiv2.spec index fd5d7af..8fcddd7 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,6 +1,6 @@ Name: exiv2 Version: 0.26 -Release: 23 +Release: 24 Summary: Exif, IPTC and XMP metadata and the ICC Profile License: GPLv2+ URL: http://www.exiv2.org/ @@ -59,6 +59,8 @@ Patch6026: backport-CVE-2019-13109.patch Patch6027: exiv2-CVE-2019-13111.patch Patch6028: CVE-2018-9145.patch Patch6029: CVE-2021-3482.patch +Patch6030: backport-CVE-2021-29457.patch +Patch6031: backport-CVE-2021-29458.patch Provides: exiv2-libs Obsoletes: exiv2-libs @@ -122,6 +124,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %{_datadir}/doc/html/ %changelog +* Thu Apr 29 2021 wangkerong - 0.26-24 +- Type:cves +- ID:CVE-2021-29457 CVE-2021-29458 +- SUG:NA +- DESC:fix CVE-2021-29457,CVE-2021-29458 + * Thu Apr 22 2021 zhanzhimin - 0.26-23 - Type:cves - ID:CVE-2021-3482 -- Gitee