Bug#961020: stretch-pu: package libexif/0.6.21-2+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#961020: stretch-pu: package libexif/0.6.21-2+deb9u2
From: Hugh McMaster <hugh.mcmaster@outlook.com>
Date: Tue, 19 May 2020 22:32:03 +1000
Message-id: <[🔎] 158989152301.105356.15455071637910234368.reportbug@debian.Home>
Reply-to: Hugh McMaster <hugh.mcmaster@outlook.com>, 961020@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked
as "no DSA".

The attached debdiff fixes these vulnerabilities.

CVE-2020-12767 - division-by-zero errors
CVE-2020-0093  - read buffer overflow
CVE-2018-20030 - denial of service by wasting CPU
CVE-2017-7544  - out-of-bounds heap read
CVE-2016-6328  - integer overflow

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash

diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog	2020-02-02 07:54:38.000000000 +1100
+++ libexif-0.6.21/debian/changelog	2020-05-19 18:41:18.000000000 +1000
@@ -1,3 +1,19 @@
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+    - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+      entry data of the input file (CVE-2016-6328) (Closes: #873022).
+    - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+      exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+    - cve-2018-20030.patch: Improve deep recursion detection in the function
+      exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+    - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+      in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+    - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com>  Tue, 19 May 2020 19:40:10 +1000
+
 libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch	2020-05-19 18:36:53.000000000 +1000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2017-7544.patch	2020-05-19 18:39:10.000000000 +1000
@@ -0,0 +1,22 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff -Nru libexif-0.6.21/debian/patches/cve-2018-20030.patch libexif-0.6.21/debian/patches/cve-2018-20030.patch
--- libexif-0.6.21/debian/patches/cve-2018-20030.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2018-20030.patch	2020-05-19 18:39:20.000000000 +1000
@@ -0,0 +1,111 @@
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: Improve deep recursion detection in exif_data_load_data_content.
+Origin: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030
+Bug-Debian: https://bugs.debian.org/918730
+
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags.  This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+---
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+ 
++#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -344,6 +345,20 @@
+ 	break;						\
+ }
+ 
++/*! Calculate the recursion cost added by one level of IFD loading.
++ *
++ * The work performed is related to the cost in the exponential relation
++ *   work=1.1**cost
++ */
++static unsigned int
++level_cost(unsigned int n)
++{
++    static const double log_1_1 = 0.09531017980432493;
++
++	/* Adding 0.1 protects against the case where n==1 */
++	return ceil(log(n + 0.1)/log_1_1);
++}
++
+ /*! Load data for an IFD.
+  *
+  * \param[in,out] data #ExifData
+@@ -351,13 +366,13 @@
+  * \param[in] d pointer to buffer containing raw IFD data
+  * \param[in] ds size of raw data in buffer at \c d
+  * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
++ * \param[in] recursion_cost factor indicating how expensive this recursive
++ * call could be
+  */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 			     const unsigned char *d,
+-			     unsigned int ds, unsigned int offset, unsigned int recursion_depth)
++			     unsigned int ds, unsigned int offset, unsigned int recursion_cost)
+ {
+ 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ 	ExifShort n;
+@@ -372,9 +387,20 @@
+ 	if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+ 	  return;
+ 
+-	if (recursion_depth > 30) {
++	if (recursion_cost > 170) {
++		/*
++		 * recursion_cost is a logarithmic-scale indicator of how expensive this
++		 * recursive call might end up being. It is an indicator of the depth of
++		 * recursion as well as the potential for worst-case future recursive
++		 * calls. Since it's difficult to tell ahead of time how often recursion
++		 * will occur, this assumes the worst by assuming every tag could end up
++		 * causing recursion.
++		 * The value of 170 was chosen to limit typical EXIF structures to a
++		 * recursive depth of about 6, but pathological ones (those with very
++		 * many tags) to only 2.
++		 */
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-			  "Deep recursion detected!");
++			  "Deep/expensive recursion detected!");
+ 		return;
+ 	}
+ 
+@@ -416,15 +442,18 @@
+ 			switch (tag) {
+ 			case EXIF_TAG_EXIF_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_EXIF);
+-				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_GPS);
+-				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+-				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ 				thumbnail_offset = o;
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch	2020-05-19 18:39:22.000000000 +1000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
+ 	 * e->data is NULL */
+ 	if (e->data) {
+-		memcpy (*d + 6 + doff, e->data, s);
++		unsigned int len = s;
++		if (e->size < s) len = e->size;
++		memcpy (*d + 6 + doff, e->data, len);
+ 	} else {
+ 		memset (*d + 6 + doff, 0, s);
+ 	}
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch	2020-05-19 18:39:29.000000000 +1000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <52818007+orangesnn@users.noreply.github.com>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ 			break;
+ 		}
+ 		d = (double) v_rat.numerator / (double) v_rat.denominator;
+-		if (d < 1)
++		if (d < 1 && d)
+ 			snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ 		else
+ 			snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ 		}
+ 		d = (double) v_srat.numerator / (double) v_srat.denominator;
+ 		snprintf (val, maxlen, _("%.02f EV"), d);
+-		d = 1. / pow (2, d);
+-		if (d < 1)
++		if (pow (2, d))
++			d = 1. / pow (2, d);
++		if (d < 1 && d)
+ 		  snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ 		else
+ 		  snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series	2020-02-02 07:54:38.000000000 +1100
+++ libexif-0.6.21/debian/patches/series	2020-05-19 18:39:29.000000000 +1000
@@ -1,3 +1,8 @@
+cve-2020-12767.patch
+cve-2020-0093.patch
+cve-2018-20030.patch
+cve-2017-7544.patch
+cve-2016-6328.patch
 pkg_config_header_dir
 extra_colorspace_check
 fix-CVE-2019-9278.patch

Reply to:

Follow-Ups:
- Bug#961020: Updated debdiff for libexif/0.6.21-2+deb9u2
  - From: Hugh McMaster <hugh.mcmaster@outlook.com>
- Bug#961020: Updated debdiff for libexif/0.6.21-2+deb9u2
  - From: Hugh McMaster <hugh.mcmaster@outlook.com>
- Bug#961020: libexif 0.6.21-2+deb9u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#961019: buster-pu: package libexif/0.6.21-5.1+deb10u2
Next by Date: Bug#961024: nmu: comet-ms_2019015+cleaned1-1
Previous by thread: Processed: libexif 0.6.21-5.1+deb10u2 flagged for acceptance
Next by thread: Bug#961020: Updated debdiff for libexif/0.6.21-2+deb9u2
Index(es):
- Date
- Thread