From 6f33e1c8aceb1004de72688b579b64fbe79f1909 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 9 Jul 2024 10:19:32 +0800 Subject: [PATCH] Fix CVE-2024-39695 --- backport-CVE-2024-39695.patch | 54 +++++++++++++++++++++++++++++++++++ exiv2.spec | 7 ++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-39695.patch diff --git a/backport-CVE-2024-39695.patch b/backport-CVE-2024-39695.patch new file mode 100644 index 0000000..d35b688 --- /dev/null +++ b/backport-CVE-2024-39695.patch @@ -0,0 +1,54 @@ +From 3a28346db5ae1735a8728fe3491b0aecc1dbf387 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Thu, 4 Jul 2024 00:04:32 +0100 +Subject: [PATCH] Credit to OSS-Fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68210 Use readOrThrow() + to detect premature EOF. + +(cherry picked from commit fc1fe453a246cb8e188bbc226b48b339d5f81580) +--- + src/asfvideo.cpp | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp +index ab1ad4a591..1cec3854c9 100644 +--- a/src/asfvideo.cpp ++++ b/src/asfvideo.cpp +@@ -238,7 +238,7 @@ void AsfVideo::readMetadata() { + + AsfVideo::HeaderReader::HeaderReader(const BasicIo::UniquePtr& io) : IdBuf_(GUID) { + if (io->size() >= io->tell() + GUID + QWORD) { +- IdBuf_ = io->read(GUID); ++ io->readOrThrow(IdBuf_.data(), IdBuf_.size(), Exiv2::ErrorCode::kerCorruptedMetadata); + + size_ = readQWORDTag(io); + if (size_ >= GUID + QWORD) +@@ -296,7 +296,7 @@ void AsfVideo::decodeBlock() { + + void AsfVideo::decodeHeader() { + DataBuf nbHeadersBuf(DWORD + 1); +- io_->read(nbHeadersBuf.data(), DWORD); ++ io_->readOrThrow(nbHeadersBuf.data(), DWORD, Exiv2::ErrorCode::kerCorruptedMetadata); + + uint32_t nb_headers = Exiv2::getULong(nbHeadersBuf.data(), littleEndian); + Internal::enforce(nb_headers < std::numeric_limits::max(), Exiv2::ErrorCode::kerCorruptedMetadata); +@@ -358,7 +358,8 @@ void AsfVideo::DegradableJPEGMedia() { + } + + void AsfVideo::streamProperties() { +- DataBuf streamTypedBuf = io_->read(GUID); ++ DataBuf streamTypedBuf(GUID); ++ io_->readOrThrow(streamTypedBuf.data(), streamTypedBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata); + + enum class streamTypeInfo { Audio = 1, Video = 2 }; + auto stream = static_cast(0); +@@ -476,7 +477,8 @@ void AsfVideo::contentDescription() { + } // AsfVideo::extendedContentDescription + + void AsfVideo::fileProperties() { +- DataBuf FileIddBuf = io_->read(GUID); ++ DataBuf FileIddBuf(GUID); ++ io_->readOrThrow(FileIddBuf.data(), FileIddBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata); + xmpData()["Xmp.video.FileID"] = GUIDTag(FileIddBuf.data()).to_string(); + xmpData()["Xmp.video.FileLength"] = readQWORDTag(io_); + xmpData()["Xmp.video.CreationDate"] = readQWORDTag(io_); diff --git a/exiv2.spec b/exiv2.spec index bbd0bdb..741dfc4 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,10 +1,12 @@ Name: exiv2 Version: 0.28.2 -Release: 1 +Release: 2 Summary: Exif, IPTC and XMP metadata and the ICC Profile License: GPLv2+ URL: http://www.exiv2.org/ Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.tar.gz +# https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387 +Patch3000: backport-CVE-2024-39695.patch Provides: exiv2-libs = %{version}-%{release} Obsoletes: exiv2-libs < %{version}-%{release} @@ -74,6 +76,9 @@ test -x %{buildroot}%{_libdir}/libexiv2.so %{_pkgdocdir}/ %changelog +* Tue Jul 09 2024 yaoxin - 0.28.2-2 +- Fix CVE-2024-39695 + * Sat Feb 17 2024 yaoxin - 0.28.2-1 - Upgrade to 0.28.2 for fix CVE-2024-25112 and CVE-2024-24826 -- Gitee