Re: exiv2 [was: January Report]
Brian May <bam@debian.org> writes:
> Brian May <bam@debian.org> writes:
>
>> Next month I plan to continue to exiv2 (unless somebody else wants to take over
>> at this point). It might also be worth spending time and assisting the security
>> team fix exiv2 (and maybe tiff too) in the other distributions.
>
> Since I looked at this last month, I have noticed that exiv2 has been
> marked as no-DSA in Jessie and Stretch.
>
> I have a fixed version - based on a patch that was approved and merged
> upstream, which I am in the process of testing, however wondered if it
> is still worth uploading?
>
> The patch from upstream master applies to Wheezy without minimal changes
> - in particular I had to remove the tests (there doesn't appear to be
> any tests in wheezy) and make a small change in the name of the file
> patched.
>
> It seems a bit strange fixing a problem in wheezy, but not Jessie or
> Stretch.
Here is the patch for the wheezy version.
There is also an AMD64 version available for testing:
https://people.debian.org/~bam/debian/pool/main/e/exiv2/
(I can also build an i386 version if required)
diff -Nru exiv2-0.23/debian/changelog exiv2-0.23/debian/changelog
--- exiv2-0.23/debian/changelog 2017-10-26 01:05:29.000000000 +1100
+++ exiv2-0.23/debian/changelog 2018-02-05 17:33:01.000000000 +1100
@@ -1,3 +1,10 @@
+exiv2 (0.23-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * CVE-2017-17669: Fix out of bounds read in src/pngchunk_int.cpp.
+
+ -- Brian May <bam@debian.org> Mon, 05 Feb 2018 17:33:01 +1100
+
exiv2 (0.23-1+deb7u2) wheezy-security; urgency=medium
* Non-maintainer upload by the LTS team.
diff -Nru exiv2-0.23/debian/patches/CVE-2017-17669.patch exiv2-0.23/debian/patches/CVE-2017-17669.patch
--- exiv2-0.23/debian/patches/CVE-2017-17669.patch 1970-01-01 10:00:00.000000000 +1000
+++ exiv2-0.23/debian/patches/CVE-2017-17669.patch 2018-02-05 17:32:50.000000000 +1100
@@ -0,0 +1,39 @@
+From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Mon, 22 Jan 2018 23:56:08 +0100
+Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by
+ @brianmay
+
+- consider that key is advanced by 8 bytes if stripHeader is true
+ => length is reduced by same amount
+ Fixed by adding offset to the check in the loop
+- Rewrote loop so that keysize is checked before the next
+ iteration (preventing an out of bounds read)
+---
+ src/pngchunk_int.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -111,15 +111,17 @@
+ {
+ // From a tEXt, zTXt, or iTXt chunk,
+ // we get the key, it's a null terminated string at the chunk start
+- if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
+- const byte *key = data.pData_ + (stripHeader ? 8 : 0);
++ const int offset = stripHeader ? 8 : 0;
++ if (data.size_ <= offset) throw Error(14);
++ const byte *key = data.pData_ + offset;
+
+ // Find null string at end of key.
+ int keysize=0;
+- for ( ; key[keysize] != 0 ; keysize++)
++ while (key[keysize] != 0)
+ {
++ keysize++;
+ // look if keysize is valid.
+- if (keysize >= data.size_)
++ if (keysize+offset >= data.size_)
+ throw Error(14);
+ }
+
diff -Nru exiv2-0.23/debian/patches/series exiv2-0.23/debian/patches/series
--- exiv2-0.23/debian/patches/series 2017-10-26 01:05:29.000000000 +1100
+++ exiv2-0.23/debian/patches/series 2018-02-05 17:32:07.000000000 +1100
@@ -4,3 +4,4 @@
CVE-2017-11683.patch
some-hardening.patch
CVE-2017-14859_14862_14864.patch
+CVE-2017-17669.patch
--
Brian May <bam@debian.org>
Reply to: