diff --git a/backport-CVE-2024-39695.patch b/backport-CVE-2024-39695.patch deleted file mode 100644 index d35b688f8eac04b145698ee9960517754919059c..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-39695.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 3a28346db5ae1735a8728fe3491b0aecc1dbf387 Mon Sep 17 00:00:00 2001 -From: Kevin Backhouse -Date: Thu, 4 Jul 2024 00:04:32 +0100 -Subject: [PATCH] Credit to OSS-Fuzz: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68210 Use readOrThrow() - to detect premature EOF. - -(cherry picked from commit fc1fe453a246cb8e188bbc226b48b339d5f81580) ---- - src/asfvideo.cpp | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp -index ab1ad4a591..1cec3854c9 100644 ---- a/src/asfvideo.cpp -+++ b/src/asfvideo.cpp -@@ -238,7 +238,7 @@ void AsfVideo::readMetadata() { - - AsfVideo::HeaderReader::HeaderReader(const BasicIo::UniquePtr& io) : IdBuf_(GUID) { - if (io->size() >= io->tell() + GUID + QWORD) { -- IdBuf_ = io->read(GUID); -+ io->readOrThrow(IdBuf_.data(), IdBuf_.size(), Exiv2::ErrorCode::kerCorruptedMetadata); - - size_ = readQWORDTag(io); - if (size_ >= GUID + QWORD) -@@ -296,7 +296,7 @@ void AsfVideo::decodeBlock() { - - void AsfVideo::decodeHeader() { - DataBuf nbHeadersBuf(DWORD + 1); -- io_->read(nbHeadersBuf.data(), DWORD); -+ io_->readOrThrow(nbHeadersBuf.data(), DWORD, Exiv2::ErrorCode::kerCorruptedMetadata); - - uint32_t nb_headers = Exiv2::getULong(nbHeadersBuf.data(), littleEndian); - Internal::enforce(nb_headers < std::numeric_limits::max(), Exiv2::ErrorCode::kerCorruptedMetadata); -@@ -358,7 +358,8 @@ void AsfVideo::DegradableJPEGMedia() { - } - - void AsfVideo::streamProperties() { -- DataBuf streamTypedBuf = io_->read(GUID); -+ DataBuf streamTypedBuf(GUID); -+ io_->readOrThrow(streamTypedBuf.data(), streamTypedBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata); - - enum class streamTypeInfo { Audio = 1, Video = 2 }; - auto stream = static_cast(0); -@@ -476,7 +477,8 @@ void AsfVideo::contentDescription() { - } // AsfVideo::extendedContentDescription - - void AsfVideo::fileProperties() { -- DataBuf FileIddBuf = io_->read(GUID); -+ DataBuf FileIddBuf(GUID); -+ io_->readOrThrow(FileIddBuf.data(), FileIddBuf.size(), Exiv2::ErrorCode::kerCorruptedMetadata); - xmpData()["Xmp.video.FileID"] = GUIDTag(FileIddBuf.data()).to_string(); - xmpData()["Xmp.video.FileLength"] = readQWORDTag(io_); - xmpData()["Xmp.video.CreationDate"] = readQWORDTag(io_); diff --git a/exiv2.spec b/exiv2.spec index 741dfc48e134de7936a5795a515988faab7256f2..dac501fa447ed03118e959382efdd8176302ad59 100644 --- a/exiv2.spec +++ b/exiv2.spec @@ -1,12 +1,11 @@ Name: exiv2 -Version: 0.28.2 -Release: 2 +Version: 0.28.3 +Release: 1 Summary: Exif, IPTC and XMP metadata and the ICC Profile -License: GPLv2+ -URL: http://www.exiv2.org/ -Source0: https://github.com/Exiv2/exiv2/archive/v%{version}/%{name}-%{version}.tar.gz -# https://github.com/Exiv2/exiv2/commit/3a28346db5ae1735a8728fe3491b0aecc1dbf387 -Patch3000: backport-CVE-2024-39695.patch +License: GPL-2.0-or-later AND BSD-3-Clause +URL: https://www.exiv2.org/ +VCS: https://github.com/Exiv2/exiv2/ +Source0: https://github.com/Exiv2/exiv2/archive/refs/tags/v%{version}.tar.gz Provides: exiv2-libs = %{version}-%{release} Obsoletes: exiv2-libs < %{version}-%{release} @@ -39,43 +38,34 @@ This package provides head file,libraries for exiv2. -DEXIV2_ENABLE_NLS:BOOL=ON \ -DEXIV2_BUILD_SAMPLES:BOOL=OFF -%make_build -make doc +%cmake_build +%cmake_build --target doc %install -%make_install -%find_lang exiv2 --with-man -chrpath -d %{buildroot}%{_libdir}/libexiv2.so.0.28.2 -chrpath -d %{buildroot}%{_bindir}/%{name} - - -%check -export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}" -test "$(pkg-config --modversion exiv2)" = "%{version}" -test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}" -test -x %{buildroot}%{_libdir}/libexiv2.so +%cmake_install +%find_lang exiv2 %files -f exiv2.lang -%defattr(-,root,root) %doc doc/ChangeLog %license COPYING %{_bindir}/exiv2 -%{_libdir}/libexiv2.so.28* +%{_libdir}/libexiv2.so.28 %{_libdir}/libexiv2.so.%{version} %files devel -%defattr(-,root,root) %{_libdir}/pkgconfig/exiv2.pc %{_libdir}/libexiv2.so %{_includedir}/exiv2/ %{_libdir}/cmake/exiv2/ %files help -%defattr(-,root,root) %{_mandir}/man1/exiv2*.1* %{_pkgdocdir}/ %changelog +* Mon Sep 30 2024 Funda Wang - 0.28.3-1 +- update to 0.28.3 + * Tue Jul 09 2024 yaoxin - 0.28.2-2 - Fix CVE-2024-39695 diff --git a/exiv2.yaml b/exiv2.yaml index a021caa9613ea18845cb70b8f0db89426e5877e6..686ba2282dbb4d3e3d1c034a86ce900013d6891d 100644 --- a/exiv2.yaml +++ b/exiv2.yaml @@ -1,4 +1,4 @@ version_control: github src_repo: Exiv2/exiv2 tag_prefix: ^v -seperator: . +separator: . diff --git a/exiv2-0.28.2.tar.gz b/v0.28.3.tar.gz similarity index 80% rename from exiv2-0.28.2.tar.gz rename to v0.28.3.tar.gz index 5916721df3ed837dcaf64f1aba443b5f7ea27f5f..9e2110b6dba273b5d96637867b28424c4e55d8e8 100644 Binary files a/exiv2-0.28.2.tar.gz and b/v0.28.3.tar.gz differ