Control: tags 945948 + patch Control: tags 945948 + pending
Dear maintainer(s), I've prepared an NMU for libexif (versioned as 0.6.21-5.2) based on the upstream commit and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog --- libexif-0.6.21/debian/changelog 2019-02-10 14:59:33.000000000 +0100 +++ libexif-0.6.21/debian/changelog 2020-01-21 22:48:19.000000000 +0100 @@ -1,3 +1,10 @@ +libexif (0.6.21-5.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix out of bound write in exif-data.c (CVE-2019-9278) (Closes: #945948) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 21 Jan 2020 22:48:19 +0100 + libexif (0.6.21-5.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch --- libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 1970-01-01 01:00:00.000000000 +0100 +++ libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 2020-01-21 22:48:19.000000000 +0100 @@ -0,0 +1,91 @@ +From: Marcus Meissner <meiss...@suse.de> +Date: Sat, 18 Jan 2020 09:29:42 +0100 +Subject: fix CVE-2019-9278 +Origin: https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9278 +Bug-Debian: https://bugs.debian.org/945948 +Bug: https://github.com/libexif/libexif/issues/26 + +avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) + +check for the actual sizes, which should also handle the overflows +document other places google patched, but do not seem relevant due to other restrictions + +fixes https://github.com/libexif/libexif/issues/26 +--- + libexif/exif-data.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index a6f9c94f2fc2..6332cd1ae3b0 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, + doff = offset + 8; + + /* Sanity checks */ +- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { ++ if (doff >= size) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Tag data past end of buffer (%u > %u)", doff+s, size); ++ "Tag starts past end of buffer (%u > %u)", doff, size); ++ return 0; ++ } ++ ++ if (s > size - doff) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", ++ "Tag data goes past end of buffer (%u > %u)", doff+s, size); + return 0; + } + +@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, + unsigned int ds, ExifLong o, ExifLong s) + { + /* Sanity checks */ +- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { +- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Bogus thumbnail offset (%u) or size (%u).", +- o, s); ++ if (o >= ds) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); ++ return; ++ } ++ if (s > ds - o) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +- + if (data->data) + exif_mem_free (data->priv->mem, data->data); + if (!(data->data = exif_data_alloc (data, s))) { +@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 0 at %i.", (int) offset); + +- /* Sanity check the offset, being careful about overflow */ ++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ + if (offset > ds || offset + 6 + 2 > ds) + return; + +@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + + /* IFD 1 offset */ + n = exif_get_short (d + 6 + offset, data->priv->order); ++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ + if (offset + 6 + 2 + 12 * n + 4 > ds) + return; + +@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 1 at %i.", (int) offset); + +- /* Sanity check. */ +- if (offset > ds || offset + 6 > ds) { ++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ ++ if (offset > ds - 6) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifData", "Bogus offset of IFD1."); + } else { +-- +2.25.0 + diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series --- libexif-0.6.21/debian/patches/series 2019-02-10 14:59:33.000000000 +0100 +++ libexif-0.6.21/debian/patches/series 2020-01-21 22:48:19.000000000 +0100 @@ -7,3 +7,4 @@ fix-size_t-warnings.patch Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch Improve-deep-recursion-detection-in-exif_data_load_d.patch +fix-CVE-2019-9278.patch
