gnu: libexif: Fix CVE-2016-6328.

* gnu/packages/patches/libexif-CVE-2016-6328.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/photo.scm (libexif)[source]: Use it.
This commit is contained in:
Leo Famulari 2018-01-19 17:49:02 -08:00
parent e8409dd275
commit ccb5cac17b
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
3 changed files with 75 additions and 1 deletions

View file

@ -817,6 +817,7 @@ dist_patch_DATA = \
%D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch \ %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch \
%D%/packages/patches/libevent-2.1-dns-tests.patch \ %D%/packages/patches/libevent-2.1-dns-tests.patch \
%D%/packages/patches/libevent-2.1-skip-failing-test.patch \ %D%/packages/patches/libevent-2.1-skip-failing-test.patch \
%D%/packages/patches/libexif-CVE-2016-6328.patch \
%D%/packages/patches/libexif-CVE-2017-7544.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \
%D%/packages/patches/libgit2-0.25.1-mtime-0.patch \ %D%/packages/patches/libgit2-0.25.1-mtime-0.patch \
%D%/packages/patches/libgdata-fix-tests.patch \ %D%/packages/patches/libgdata-fix-tests.patch \

View file

@ -0,0 +1,72 @@
Fix CVE-2016-6328:
https://bugzilla.redhat.com/show_bug.cgi?id=1366239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
Patch copied from upstream source repository:
https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d
From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:44:44 +0200
Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
makernote entries.
This should fix:
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
---
libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index d03d159..ea0429a 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
case EXIF_FORMAT_SHORT:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 2)
+ break;
vs = exif_get_short (data, entry->order);
snprintf (val+len, maxlen-len, "%i ", vs);
len = strlen(val);
data += 2;
+ sizeleft -= 2;
}
}
break;
case EXIF_FORMAT_LONG:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 4)
+ break;
vl = exif_get_long (data, entry->order);
snprintf (val+len, maxlen-len, "%li", (long int) vl);
len = strlen(val);
data += 4;
+ sizeleft -= 4;
}
}
break;
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
break;
}
- return (val);
+ return val;
}
--
2.16.0

View file

@ -91,7 +91,8 @@ (define-public libexif
(method url-fetch) (method url-fetch)
(uri (string-append "mirror://sourceforge/libexif/libexif/" (uri (string-append "mirror://sourceforge/libexif/libexif/"
version "/libexif-" version ".tar.bz2")) version "/libexif-" version ".tar.bz2"))
(patches (search-patches "libexif-CVE-2017-7544.patch")) (patches (search-patches "libexif-CVE-2016-6328.patch"
"libexif-CVE-2017-7544.patch"))
(sha256 (sha256
(base32 (base32
"06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n")))) "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"))))