Re: exiv2 [was: January Report]

To: Brian May <bam@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: exiv2 [was: January Report]
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 6 Feb 2018 20:55:09 +0100
Message-id: <[🔎] CABY6=0n1WgDipy9zn3EhwhB9pTgNOi7x7s_ayqgqai5kAacGTQ@mail.gmail.com>
In-reply-to: <[🔎] 87fu6gvsau.fsf@prune.linuxpenguins.xyz>
References: <877erzopwu.fsf@prune.linuxpenguins.xyz> <[🔎] 87inbcvsts.fsf@prune.linuxpenguins.xyz> <[🔎] 87fu6gvsau.fsf@prune.linuxpenguins.xyz>

Hi

As you have the patch ready it may be worth it as I guess it will take
very limited time to build a package and upload.

I do not see this as important though. If the CVE for this package is
ignored for jessie I think we can safely ignore it for wheezy as well.
As you can see from the rest of the list, all kind of DoS class
vulnerabilities has been ignored in the past.

Best regards

// Ola


On 5 February 2018 at 07:55, Brian May <bam@debian.org> wrote:
> Brian May <bam@debian.org> writes:
>
>> Brian May <bam@debian.org> writes:
>>
>>> Next month I plan to continue to exiv2 (unless somebody else wants to take over
>>> at this point). It might also be worth spending time and assisting the security
>>> team fix exiv2 (and maybe tiff too) in the other distributions.
>>
>> Since I looked at this last month, I have noticed that exiv2 has been
>> marked as no-DSA in Jessie and Stretch.
>>
>> I have a fixed version - based on a patch that was approved and merged
>> upstream, which I am in the process of testing, however wondered if it
>> is still worth uploading?
>>
>> The patch from upstream master applies to Wheezy without minimal changes
>> - in particular I had to remove the tests (there doesn't appear to be
>> any tests in wheezy) and make a small change in the name of the file
>> patched.
>>
>> It seems a bit strange fixing a problem in wheezy, but not Jessie or
>> Stretch.
>
> Here is the patch for the wheezy version.
>
> There is also an AMD64 version available for testing:
> https://people.debian.org/~bam/debian/pool/main/e/exiv2/
>
> (I can also build an i386 version if required)
>
>
> diff -Nru exiv2-0.23/debian/changelog exiv2-0.23/debian/changelog
> --- exiv2-0.23/debian/changelog 2017-10-26 01:05:29.000000000 +1100
> +++ exiv2-0.23/debian/changelog 2018-02-05 17:33:01.000000000 +1100
> @@ -1,3 +1,10 @@
> +exiv2 (0.23-1+deb7u3) wheezy-security; urgency=high
> +
> +  * Non-maintainer upload by the LTS team.
> +  * CVE-2017-17669: Fix out of bounds read in src/pngchunk_int.cpp.
> +
> + -- Brian May <bam@debian.org>  Mon, 05 Feb 2018 17:33:01 +1100
> +
>  exiv2 (0.23-1+deb7u2) wheezy-security; urgency=medium
>
>    * Non-maintainer upload by the LTS team.
> diff -Nru exiv2-0.23/debian/patches/CVE-2017-17669.patch exiv2-0.23/debian/patches/CVE-2017-17669.patch
> --- exiv2-0.23/debian/patches/CVE-2017-17669.patch      1970-01-01 10:00:00.000000000 +1000
> +++ exiv2-0.23/debian/patches/CVE-2017-17669.patch      2018-02-05 17:32:50.000000000 +1100
> @@ -0,0 +1,39 @@
> +From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
> +Date: Mon, 22 Jan 2018 23:56:08 +0100
> +Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by
> + @brianmay
> +
> +- consider that key is advanced by 8 bytes if stripHeader is true
> +  => length is reduced by same amount
> +  Fixed by adding offset to the check in the loop
> +- Rewrote loop so that keysize is checked before the next
> +  iteration (preventing an out of bounds read)
> +---
> + src/pngchunk_int.cpp | 10 ++++++----
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +--- a/src/pngchunk.cpp
> ++++ b/src/pngchunk.cpp
> +@@ -111,15 +111,17 @@
> +     {
> +         // From a tEXt, zTXt, or iTXt chunk,
> +         // we get the key, it's a null terminated string at the chunk start
> +-        if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
> +-        const byte *key = data.pData_ + (stripHeader ? 8 : 0);
> ++        const int offset = stripHeader ? 8 : 0;
> ++        if (data.size_ <= offset) throw Error(14);
> ++        const byte *key = data.pData_ + offset;
> +
> +         // Find null string at end of key.
> +         int keysize=0;
> +-        for ( ; key[keysize] != 0 ; keysize++)
> ++        while (key[keysize] != 0)
> +         {
> ++            keysize++;
> +             // look if keysize is valid.
> +-            if (keysize >= data.size_)
> ++            if (keysize+offset >= data.size_)
> +                 throw Error(14);
> +         }
> +
> diff -Nru exiv2-0.23/debian/patches/series exiv2-0.23/debian/patches/series
> --- exiv2-0.23/debian/patches/series    2017-10-26 01:05:29.000000000 +1100
> +++ exiv2-0.23/debian/patches/series    2018-02-05 17:32:07.000000000 +1100
> @@ -4,3 +4,4 @@
>  CVE-2017-11683.patch
>  some-hardening.patch
>  CVE-2017-14859_14862_14864.patch
> +CVE-2017-17669.patch
>
> --
> Brian May <bam@debian.org>
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- exiv2 [was: January Report]
  - From: Brian May <bam@debian.org>
- Re: exiv2 [was: January Report]
  - From: Brian May <bam@debian.org>

Prev by Date: Re: dojo / CVE-2018-6561
Next by Date: Fwd: simplesamlphp_1.9.2-1+deb7u2_amd64.changes REJECTED
Previous by thread: Re: exiv2 [was: January Report]
Next by thread: upload simplesamlphp
Index(es):
- Date
- Thread