Bug#961803: buster-pu: package libexif/0.6.21-5.1+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Three additional CVEs were found in the upstream source after libexif
0.6.21-5.1+deb10u2 was uploaded.
This +deb10u3 version fixes those CVEs.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Version in base suite: 0.6.21-5.1+deb10u1
Base version: libexif_0.6.21-5.1+deb10u1
Target version: libexif_0.6.21-5.1+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.21-5.1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libe/libexif/libexif_0.6.21-5.1+deb10u3.dsc
changelog | 28
patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch | 13
patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch | 7
patches/cve-2020-0093.patch | 24
patches/cve-2020-12767.patch | 34 +
patches/cve-2020-13112.patch | 296 ++++++++++
patches/cve-2020-13113.patch | 52 +
patches/cve-2020-13114.patch | 63 ++
patches/extra_colorspace_check.patch | 2
patches/fix-CVE-2019-9278.patch | 15
patches/series | 5
11 files changed, 513 insertions(+), 26 deletions(-)
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/changelog 2020-05-25 12:01:18.000000000 +0000
@@ -1,3 +1,31 @@
+libexif (0.6.21-5.1+deb10u3) buster; urgency=medium
+
+ * Add upstream patches to fix multiple security issues:
+ - cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
+ read time (CVE-2020-13112) (Closes: #961407).
+ - cve-2020-13113.patch: Ensure MakerNote data pointers are
+ NULL-initialized (CVE-2020-13113) (Closes: #961409).
+ - cve-2020-13114.patch: Add a failsafe on the maximum number of
+ Canon MakerNote subtags to catch extremely large values in tags
+ (CVE-2020-13114) (Closes: #961410).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Mon, 25 May 2020 22:01:18 +1000
+
+libexif (0.6.21-5.1+deb10u2) buster; urgency=medium
+
+ [ Mike Gabriel ]
+ * Sponsored upload.
+ * debian/patches: Trivial rebase of various patches.
+
+ [ Hugh McMaster ]
+ * Team upload.
+ * Add upstream patches to fix two security issues:
+ - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+ in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+ - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 21 May 2020 11:26:42 +0200
+
libexif (0.6.21-5.1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch
--- libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/patches/Improve-deep-recursion-detection-in-exif_data_load_d.patch 2020-05-21 09:26:15.000000000 +0000
@@ -16,8 +16,6 @@
the identifier CVE-2018-20030.
---
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index e35403ddba7c..a6f9c94f2fc2 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -35,6 +35,7 @@
@@ -28,7 +26,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
-@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \
+@@ -352,6 +353,20 @@
break; \
}
@@ -49,7 +47,7 @@
/*! Load data for an IFD.
*
* \param[in,out] data #ExifData
-@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \
+@@ -359,13 +374,13 @@
* \param[in] d pointer to buffer containing raw IFD data
* \param[in] ds size of raw data in buffer at \c d
* \param[in] offset offset into buffer at \c d at which IFD starts
@@ -66,7 +64,7 @@
{
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
ExifShort n;
-@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+@@ -380,9 +395,20 @@
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
@@ -89,7 +87,7 @@
return;
}
-@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+@@ -424,15 +450,18 @@
switch (tag) {
case EXIF_TAG_EXIF_IFD_POINTER:
CHECK_REC (EXIF_IFD_EXIF);
@@ -111,6 +109,3 @@
break;
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
thumbnail_offset = o;
---
-2.20.1
-
diff -Nru libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch
--- libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/patches/Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch 2020-05-21 09:26:09.000000000 +0000
@@ -10,11 +10,9 @@
libexif/exif-data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index 91f4c33593ad..04cdda256c3d 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
-@@ -378,7 +378,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+@@ -380,7 +380,7 @@
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
@@ -23,6 +21,3 @@
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
"Deep recursion detected!");
return;
---
-2.20.1
-
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch 2020-05-21 09:25:43.000000000 +0000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ /* Write the data. Fill unneeded bytes with 0. Do not crash with
+ * e->data is NULL */
+ if (e->data) {
+- memcpy (*d + 6 + doff, e->data, s);
++ unsigned int len = s;
++ if (e->size < s) len = e->size;
++ memcpy (*d + 6 + doff, e->data, len);
+ } else {
+ memset (*d + 6 + doff, 0, s);
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch 2020-05-21 09:25:43.000000000 +0000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <52818007+orangesnn@users.noreply.github.com>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ break;
+ }
+ d = (double) v_rat.numerator / (double) v_rat.denominator;
+- if (d < 1)
++ if (d < 1 && d)
+ snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ else
+ snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ }
+ d = (double) v_srat.numerator / (double) v_srat.denominator;
+ snprintf (val, maxlen, _("%.02f EV"), d);
+- d = 1. / pow (2, d);
+- if (d < 1)
++ if (pow (2, d))
++ d = 1. / pow (2, d);
++ if (d < 1 && d)
+ snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ else
+ snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13112.patch libexif-0.6.21/debian/patches/cve-2020-13112.patch
--- libexif-0.6.21/debian/patches/cve-2020-13112.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13112.patch 2020-05-25 12:01:18.000000000 +0000
@@ -0,0 +1,296 @@
+Description: Fix MakerNote tag size overflow issues at read time (CVE-2020-13112)
+ Check for a size overflow while reading tags, which ensures that the size is
+ always consistent for the given components and type of the entry, making
+ checking further down superfluous.
+ .
+ This provides an alternate fix for https://sourceforge.net/p/libexif/bugs/125/
+ CVE-2016-6328 and for all the MakerNote types. Likely, this makes both commits
+ 41bd0423 and 89e5b1c1 redundant as it ensures that MakerNote entries are
+ well-formed when they're populated.
+ .
+ Some improvements on top by Marcus Meissner <marcus@jet.franken.de>.
+Origin: commit:435e21f05001fb03f9f186fa7cbc69454afd00d1
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-23
+
+---
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,8 @@
+
+ #define DEBUG
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -209,7 +211,7 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 2 < datao) || (datao + 2 < 2) || (datao + 2 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 2)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ return;
+@@ -233,11 +235,12 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ break;
+- }
++ }
+
+ n->entries[tcount].tag = exif_get_short (buf + o, n->order);
+ n->entries[tcount].format = exif_get_short (buf + o + 2, n->order);
+@@ -248,6 +251,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_canon_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -264,7 +277,8 @@
+ } else {
+ size_t dataofs = o + 8;
+ if (s > 4) dataofs = exif_get_long (buf + dataofs, n->order) + 6;
+- if ((dataofs + s < s) || (dataofs + s < dataofs) || (dataofs + s > buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (ne->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteCanon",
+ "Tag data past end of buffer (%lu > %u)",
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -28,6 +28,8 @@
+
+ #include "exif-mnote-data-fuji.h"
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ struct _MNoteFujiDataPrivate {
+ ExifByteOrder order;
+ };
+@@ -162,16 +164,16 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 12 < datao) || (datao + 12 < 12) || (datao + 12 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ return;
+ }
+
+ n->order = EXIF_BYTE_ORDER_INTEL;
++
+ datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL);
+- if ((datao + 2 < datao) || (datao + 2 < 2) ||
+- (datao + 2 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 2)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ return;
+@@ -195,7 +197,8 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ break;
+@@ -210,6 +213,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_fuji_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteDataFuji", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -221,8 +234,8 @@
+ if (s > 4)
+ /* The data in this case is merely a pointer */
+ dataofs = exif_get_long (buf + dataofs, n->order) + 6 + n->offset;
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s >= buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Tag data past end of "
+ "buffer (%lu >= %u)", (unsigned long)(dataofs + s), buf_size);
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -37,6 +37,8 @@
+ */
+ /*#define EXIF_OVERCOME_SANYO_OFFSET_BUG */
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static enum OlympusVersion
+ exif_mnote_data_olympus_identify_variant (const unsigned char *buf,
+ unsigned int buf_size);
+@@ -247,7 +249,7 @@
+ return;
+ }
+ o2 = 6 + n->offset; /* Start of interesting data */
+- if ((o2 + 10 < o2) || (o2 + 10 < 10) || (o2 + 10 > buf_size)) {
++ if (CHECKOVERFLOW(o2,buf_size,10)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataOlympus", "Short MakerNote");
+ return;
+@@ -303,6 +305,7 @@
+ /* Olympus S760, S770 */
+ datao = o2;
+ o2 += 8;
++ if (CHECKOVERFLOW(o2,buf_size,4)) return;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Parsing Olympus maker note v2 (0x%02x, %02x, %02x, %02x)...",
+ buf[o2], buf[o2 + 1], buf[o2 + 2], buf[o2 + 3]);
+@@ -346,7 +349,7 @@
+
+ case nikonV2:
+ o2 += 6;
+- if (o2 >= buf_size) return;
++ if (CHECKOVERFLOW(o2,buf_size,4)) return;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, "
+ "%02x, %02x, %02x, %02x, %02x)...",
+@@ -406,7 +409,7 @@
+ }
+
+ /* Sanity check the offset */
+- if ((o2 + 2 < o2) || (o2 + 2 < 2) || (o2 + 2 > buf_size)) {
++ if (CHECKOVERFLOW(o2,buf_size,2)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+ return;
+@@ -430,7 +433,7 @@
+ tcount = 0;
+ for (i = c, o = o2; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+ break;
+@@ -451,6 +454,15 @@
+ n->entries[tcount].components,
+ (int)exif_format_get_size(n->entries[tcount].format)); */
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if (exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -469,7 +481,7 @@
+ * tag in its MakerNote. The offset is actually the absolute
+ * position in the file instead of the position within the IFD.
+ */
+- if (dataofs + s > buf_size && n->version == sanyoV1) {
++ if (dataofs > (buf_size - s) && n->version == sanyoV1) {
+ /* fix pointer */
+ dataofs -= datao + 6;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+@@ -478,8 +490,7 @@
+ }
+ #endif
+ }
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s > buf_size)) {
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteOlympus",
+ "Tag data past end of buffer (%lu > %u)",
+--- a/libexif/pentax/exif-mnote-data-pentax.c
++++ b/libexif/pentax/exif-mnote-data-pentax.c
+@@ -28,6 +28,8 @@
+ #include <libexif/exif-byte-order.h>
+ #include <libexif/exif-utils.h>
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static void
+ exif_mnote_data_pentax_clear (ExifMnoteDataPentax *n)
+ {
+@@ -224,7 +226,7 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 8 < datao) || (datao + 8 < 8) || (datao + 8 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 8)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
+ return;
+@@ -277,7 +279,8 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
+ break;
+@@ -292,6 +295,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_pentax_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteDataPentax", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ break;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -304,8 +317,8 @@
+ if (s > 4)
+ /* The data in this case is merely a pointer */
+ dataofs = exif_get_long (buf + dataofs, n->order) + 6;
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s > buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteDataPentax", "Tag data past end "
+ "of buffer (%lu > %u)", (unsigned long)(dataofs + s), buf_size);
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13113.patch libexif-0.6.21/debian/patches/cve-2020-13113.patch
--- libexif-0.6.21/debian/patches/cve-2020-13113.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13113.patch 2020-05-25 12:01:18.000000000 +0000
@@ -0,0 +1,52 @@
+Description: Ensure the MakerNote data pointers are initialized with NULL (CVE-2020-13113)
+ This ensures that an uninitialized pointer isn't dereferenced later in the
+ case where the number of components (and therefore size) is 0.
+ .
+ This fixes the second issue reported at https://sourceforge.net/p/libexif/bugs/125/
+Origin: commit:ec412aa4583ad71ecabb967d3c77162760169d1f
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-23
+
+---
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -236,6 +236,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
+ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -198,6 +198,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -433,6 +433,8 @@
+ tcount = 0;
+ for (i = c, o = o2; i; --i, o += 12) {
+ size_t s;
++
++ memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+--- a/libexif/pentax/exif-mnote-data-pentax.c
++++ b/libexif/pentax/exif-mnote-data-pentax.c
+@@ -280,6 +280,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
+ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13114.patch libexif-0.6.21/debian/patches/cve-2020-13114.patch
--- libexif-0.6.21/debian/patches/cve-2020-13114.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13114.patch 2020-05-25 12:01:18.000000000 +0000
@@ -0,0 +1,63 @@
+Description: Add a failsafe on the maximum number of Canon MakerNote subtags (CVE-2020-13114)
+ A malicious file could be crafted to cause extremely large values in some
+ tags without tripping any buffer range checks. This is bad with the libexif
+ representation of Canon MakerNotes because some arrays are turned into
+ individual tags that the application must loop around.
+ .
+ The largest value I've seen for failsafe_size in a (very small) sample of valid
+ Canon files is <5000. The limit is set two orders of magnitude larger to avoid
+ tripping up falsely in case some models use much larger values.
+ .
+ Patch from Google.
+Origin: commit:e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-24
+
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -34,6 +34,9 @@
+
+ #define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -204,6 +207,7 @@
+ ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ ExifShort c;
+ size_t i, tcount, o, datao;
++ long failsafe_size = 0;
+
+ if (!n || !buf || !buf_size) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -295,6 +299,23 @@
+ memcpy (n->entries[tcount].data, buf + dataofs, s);
+ }
+
++ /* Track the size of decoded tag data. A malicious file could
++ * be crafted to cause extremely large values here without
++ * tripping any buffer range checks. This is especially bad
++ * with the libexif representation of Canon MakerNotes because
++ * some arrays are turned into individual tags that the
++ * application must loop around. */
++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++ if (failsafe_size > FAILSAFE_SIZE_MAX) {
++ /* Abort if the total size of the data in the tags extraordinarily large, */
++ exif_mem_free (ne->mem, n->entries[tcount].data);
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++ failsafe_size, FAILSAFE_SIZE_MAX);
++ break;
++ }
++
+ /* Tag was successfully parsed */
+ ++tcount;
+ }
diff -Nru libexif-0.6.21/debian/patches/extra_colorspace_check.patch libexif-0.6.21/debian/patches/extra_colorspace_check.patch
--- libexif-0.6.21/debian/patches/extra_colorspace_check.patch 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/patches/extra_colorspace_check.patch 2020-05-21 09:26:02.000000000 +0000
@@ -5,7 +5,7 @@
Last-Update: 2011-04-11
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
-@@ -1317,7 +1317,7 @@
+@@ -1318,7 +1318,7 @@
/* Find the value */
for (j = 0; list2[i].elem[j].values[0] &&
(list2[i].elem[j].index < v_short); j++);
diff -Nru libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch
--- libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 2020-05-21 09:26:19.000000000 +0000
@@ -16,11 +16,9 @@
libexif/exif-data.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index a6f9c94f2fc2..6332cd1ae3b0 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
-@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+@@ -192,9 +192,15 @@
doff = offset + 8;
/* Sanity checks */
@@ -38,7 +36,7 @@
return 0;
}
-@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+@@ -317,13 +323,14 @@
unsigned int ds, ExifLong o, ExifLong s)
{
/* Sanity checks */
@@ -58,7 +56,7 @@
if (data->data)
exif_mem_free (data->priv->mem, data->data);
if (!(data->data = exif_data_alloc (data, s))) {
-@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -940,7 +947,7 @@
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 0 at %i.", (int) offset);
@@ -67,7 +65,7 @@
if (offset > ds || offset + 6 + 2 > ds)
return;
-@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -949,6 +956,7 @@
/* IFD 1 offset */
n = exif_get_short (d + 6 + offset, data->priv->order);
@@ -75,7 +73,7 @@
if (offset + 6 + 2 + 12 * n + 4 > ds)
return;
-@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -957,8 +965,8 @@
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 1 at %i.", (int) offset);
@@ -86,6 +84,3 @@
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifData", "Bogus offset of IFD1.");
} else {
---
-2.25.0
-
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series 2020-02-01 20:43:18.000000000 +0000
+++ libexif-0.6.21/debian/patches/series 2020-05-25 12:01:18.000000000 +0000
@@ -1,3 +1,5 @@
+cve-2020-0093.patch
+cve-2020-12767.patch
add-am_prog_ar.patch
ac_lang_source-macro.patch
pkg_config_header_dir.patch
@@ -8,3 +10,6 @@
Reduce-maximum-recursion-depth-in-exif_data_load_dat.patch
Improve-deep-recursion-detection-in-exif_data_load_d.patch
fix-CVE-2019-9278.patch
+cve-2020-13112.patch
+cve-2020-13113.patch
+cve-2020-13114.patch
Reply to: