Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release managers, Two further security vulnerabilities were discovered in libexif, including libexif 0.6.21-5.1+deb10u3. This proposed update adds upstream patches to fix these vulnerabilities. The package replaces the existing accepted version. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog --- libexif-0.6.21/debian/changelog 2020-05-25 22:01:18.000000000 +1000 +++ libexif-0.6.21/debian/changelog 2020-06-24 23:31:09.000000000 +1000 @@ -1,3 +1,12 @@ +libexif (0.6.21-5.1+deb10u4) buster; urgency=medium + + * Add upstream patches to fix two security issues: + - Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182). + - Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198) + (Closes: #962345). + + -- Hugh McMaster <hugh.mcmas...@outlook.com> Wed, 24 Jun 2020 23:31:09 +1000 + libexif (0.6.21-5.1+deb10u3) buster; urgency=medium * Add upstream patches to fix multiple security issues: diff -Nru libexif-0.6.21/debian/patches/cve-2020-0182.patch libexif-0.6.21/debian/patches/cve-2020-0182.patch --- libexif-0.6.21/debian/patches/cve-2020-0182.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2020-0182.patch 2020-06-24 23:27:49.000000000 +1000 @@ -0,0 +1,28 @@ +Description: Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182) + While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past + the end of a heap buffer. This was detected by the OSS Fuzz project. +Origin: commit:f9bb9f263fb00f0603ecbefa8957cad24168cbff +Author: Dan Fandrich <d...@coneharvesters.com> +Last-Update: 2020-06-13 + +--- + libexif/exif-entry.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/libexif/exif-entry.c ++++ b/libexif/exif-entry.c +@@ -1043,12 +1043,12 @@ + d = 0.; + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); +- if (entry && entry->data && ++ if (entry && entry->data && entry->size >= 7 && + !strncmp ((char *)entry->data, "Minolta", 7)) { + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], + EXIF_TAG_MODEL); +- if (entry && entry->data) { ++ if (entry && entry->data && entry->size >= 8) { + if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) + d = 3.9; + else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) diff -Nru libexif-0.6.21/debian/patches/cve-2020-0198.patch libexif-0.6.21/debian/patches/cve-2020-0198.patch --- libexif-0.6.21/debian/patches/cve-2020-0198.patch 1970-01-01 10:00:00.000000000 +1000 +++ libexif-0.6.21/debian/patches/cve-2020-0198.patch 2020-06-24 23:28:53.000000000 +1000 @@ -0,0 +1,52 @@ +Description: Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198) + Use a more generic overflow check method and also check the second overflow instance. +Origin: commit:ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c +Author: Marcus Meissner <mar...@jet.franken.de> +Bug-Debian: https://bugs.debian.org/962345 +Last-Update: 2020-06-08 + +--- + libexif/exif-data.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -47,6 +47,8 @@ + #undef JPEG_MARKER_APP1 + #define JPEG_MARKER_APP1 0xe1 + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; + + struct _ExifDataPrivate +@@ -327,7 +329,7 @@ + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); + return; + } +- if (s > ds - o) { ++ if (CHECKOVERFLOW(o,ds,s)) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +@@ -420,9 +422,9 @@ + } + + /* Read the number of entries */ +- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { ++ if (CHECKOVERFLOW(offset, ds, 2)) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Tag data past end of buffer (%u > %u)", offset+2, ds); ++ "Tag data past end of buffer (%u+2 > %u)", offset, ds); + return; + } + n = exif_get_short (d + offset, data->priv->order); +@@ -431,7 +433,7 @@ + offset += 2; + + /* Check if we have enough data. */ +- if (offset + 12 * n > ds) { ++ if (CHECKOVERFLOW(offset, ds, 12*n)) { + n = (ds - offset) / 12; + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Short data; only loading %hu entries...", n); diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series --- libexif-0.6.21/debian/patches/series 2020-05-25 22:01:18.000000000 +1000 +++ libexif-0.6.21/debian/patches/series 2020-06-24 23:28:53.000000000 +1000 @@ -13,3 +13,5 @@ cve-2020-13112.patch cve-2020-13113.patch cve-2020-13114.patch +cve-2020-0182.patch +cve-2020-0198.patch