--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package libexif/0.6.21-2+deb9u3
- From: Hugh McMaster <hugh.mcmaster@outlook.com>
- Date: Fri, 29 May 2020 22:20:06 +1000
- Message-id: <159075480654.9520.4172084070405077202.reportbug@debian.Home>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Three additional CVEs were found in the upstream source after libexif
0.6.21-2+deb9u2 was uploaded.
This +deb9u3 version fixes those CVEs.
System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Version in base suite: 0.6.21-2
Version in overlay suite: 0.6.21-2+deb9u1
Base version: libexif_0.6.21-2+deb9u1
Target version: libexif_0.6.21-2+deb9u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.21-2+deb9u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libe/libexif/libexif_0.6.21-2+deb9u3.dsc
changelog | 34 ++++
patches/cve-2016-6328.patch | 53 +++++++
patches/cve-2017-7544.patch | 20 ++
patches/cve-2018-20030.patch | 111 +++++++++++++++
patches/cve-2020-0093.patch | 24 +++
patches/cve-2020-12767.patch | 34 ++++
patches/cve-2020-13112.patch | 296 ++++++++++++++++++++++++++++++++++++++++
patches/cve-2020-13113.patch | 52 +++++++
patches/cve-2020-13114.patch | 63 ++++++++
patches/extra_colorspace_check | 2
patches/fix-CVE-2019-9278.patch | 15 --
patches/series | 8 +
12 files changed, 701 insertions(+), 11 deletions(-)
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-01 20:54:38.000000000 +0000
+++ libexif-0.6.21/debian/changelog 2020-05-25 11:28:10.000000000 +0000
@@ -1,3 +1,37 @@
+libexif (0.6.21-2+deb9u3) stretch; urgency=medium
+
+ * Add upstream patches to fix multiple security issues:
+ - cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
+ read time (CVE-2020-13112) (Closes: #961407).
+ - cve-2020-13113.patch: Ensure MakerNote data pointers are
+ NULL-initialized (CVE-2020-13113) (Closes: #961409).
+ - cve-2020-13114.patch: Add a failsafe on the maximum number of
+ Canon MakerNote subtags to catch extremely large values in tags
+ (CVE-2020-13114) (Closes: #961410).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Mon, 25 May 2020 21:28:10 +1000
+
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+ [ Mike Gabriel ]
+ * Sponsored upload.
+ * debian/patches: trivial rebasing of several patches.
+
+ [ Hugh McMaster ]
+ * Team upload.
+ * Add upstream patches to fix multiple security issues:
+ - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+ entry data of the input file (CVE-2016-6328) (Closes: #873022).
+ - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+ exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+ - cve-2018-20030.patch: Improve deep recursion detection in the function
+ exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+ - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+ in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+ - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 21 May 2020 11:22:40 +0200
+
libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch 2020-05-21 09:21:25.000000000 +0000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ case EXIF_FORMAT_SHORT:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 2)
++ break;
+ vs = exif_get_short (data, entry->order);
+ snprintf (val+len, maxlen-len, "%i ", vs);
+ len = strlen(val);
+ data += 2;
++ sizeleft -= 2;
+ }
+ }
+ break;
+ case EXIF_FORMAT_LONG:
+ {
+ const unsigned char *data = entry->data;
+- size_t k, len = strlen(val);
++ size_t k, len = strlen(val), sizeleft;
++
++ sizeleft = entry->size;
+ for(k=0; k<entry->components; k++) {
++ if (sizeleft < 4)
++ break;
+ vl = exif_get_long (data, entry->order);
+ snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ len = strlen(val);
+ data += 4;
++ sizeleft -= 4;
+ }
+ }
+ break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ break;
+ }
+
+- return (val);
++ return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2017-7544.patch 2020-05-21 09:22:10.000000000 +0000
@@ -0,0 +1,20 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -256,6 +256,12 @@
+ exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ e->components = e->size;
++ if (exif_format_get_size (e->format) != 1) {
++ /* e->format is taken from input code,
++ * but we need to make sure it is a 1 byte
++ * entity due to the multiplication below. */
++ e->format = EXIF_FORMAT_UNDEFINED;
++ }
+ }
+ }
+
diff -Nru libexif-0.6.21/debian/patches/cve-2018-20030.patch libexif-0.6.21/debian/patches/cve-2018-20030.patch
--- libexif-0.6.21/debian/patches/cve-2018-20030.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2018-20030.patch 2020-05-21 09:22:06.000000000 +0000
@@ -0,0 +1,111 @@
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: Improve deep recursion detection in exif_data_load_data_content.
+Origin: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030
+Bug-Debian: https://bugs.debian.org/918730
+
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags. This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+---
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+
++#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -346,6 +347,20 @@
+ break; \
+ }
+
++/*! Calculate the recursion cost added by one level of IFD loading.
++ *
++ * The work performed is related to the cost in the exponential relation
++ * work=1.1**cost
++ */
++static unsigned int
++level_cost(unsigned int n)
++{
++ static const double log_1_1 = 0.09531017980432493;
++
++ /* Adding 0.1 protects against the case where n==1 */
++ return ceil(log(n + 0.1)/log_1_1);
++}
++
+ /*! Load data for an IFD.
+ *
+ * \param[in,out] data #ExifData
+@@ -353,13 +368,13 @@
+ * \param[in] d pointer to buffer containing raw IFD data
+ * \param[in] ds size of raw data in buffer at \c d
+ * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
++ * \param[in] recursion_cost factor indicating how expensive this recursive
++ * call could be
+ */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ const unsigned char *d,
+- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
++ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
+ {
+ ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ ExifShort n;
+@@ -374,9 +389,20 @@
+ if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+ return;
+
+- if (recursion_depth > 30) {
++ if (recursion_cost > 170) {
++ /*
++ * recursion_cost is a logarithmic-scale indicator of how expensive this
++ * recursive call might end up being. It is an indicator of the depth of
++ * recursion as well as the potential for worst-case future recursive
++ * calls. Since it's difficult to tell ahead of time how often recursion
++ * will occur, this assumes the worst by assuming every tag could end up
++ * causing recursion.
++ * The value of 170 was chosen to limit typical EXIF structures to a
++ * recursive depth of about 6, but pathological ones (those with very
++ * many tags) to only 2.
++ */
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+- "Deep recursion detected!");
++ "Deep/expensive recursion detected!");
+ return;
+ }
+
+@@ -418,15 +444,18 @@
+ switch (tag) {
+ case EXIF_TAG_EXIF_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_EXIF);
+- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_GPS);
+- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
++ recursion_cost + level_cost(n));
+ break;
+ case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ thumbnail_offset = o;
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch 2020-05-21 09:21:25.000000000 +0000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ /* Write the data. Fill unneeded bytes with 0. Do not crash with
+ * e->data is NULL */
+ if (e->data) {
+- memcpy (*d + 6 + doff, e->data, s);
++ unsigned int len = s;
++ if (e->size < s) len = e->size;
++ memcpy (*d + 6 + doff, e->data, len);
+ } else {
+ memset (*d + 6 + doff, 0, s);
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch 2020-05-21 09:21:25.000000000 +0000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <52818007+orangesnn@users.noreply.github.com>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ break;
+ }
+ d = (double) v_rat.numerator / (double) v_rat.denominator;
+- if (d < 1)
++ if (d < 1 && d)
+ snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ else
+ snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ }
+ d = (double) v_srat.numerator / (double) v_srat.denominator;
+ snprintf (val, maxlen, _("%.02f EV"), d);
+- d = 1. / pow (2, d);
+- if (d < 1)
++ if (pow (2, d))
++ d = 1. / pow (2, d);
++ if (d < 1 && d)
+ snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ else
+ snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13112.patch libexif-0.6.21/debian/patches/cve-2020-13112.patch
--- libexif-0.6.21/debian/patches/cve-2020-13112.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13112.patch 2020-05-25 11:28:10.000000000 +0000
@@ -0,0 +1,296 @@
+Description: Fix MakerNote tag size overflow issues at read time (CVE-2020-13112)
+ Check for a size overflow while reading tags, which ensures that the size is
+ always consistent for the given components and type of the entry, making
+ checking further down superfluous.
+ .
+ This provides an alternate fix for https://sourceforge.net/p/libexif/bugs/125/
+ CVE-2016-6328 and for all the MakerNote types. Likely, this makes both commits
+ 41bd0423 and 89e5b1c1 redundant as it ensures that MakerNote entries are
+ well-formed when they're populated.
+ .
+ Some improvements on top by Marcus Meissner <marcus@jet.franken.de>.
+Origin: commit:435e21f05001fb03f9f186fa7cbc69454afd00d1
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-23
+
+---
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,8 @@
+
+ #define DEBUG
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -209,7 +211,7 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 2 < datao) || (datao + 2 < 2) || (datao + 2 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 2)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ return;
+@@ -233,11 +235,12 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ break;
+- }
++ }
+
+ n->entries[tcount].tag = exif_get_short (buf + o, n->order);
+ n->entries[tcount].format = exif_get_short (buf + o + 2, n->order);
+@@ -248,6 +251,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_canon_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -264,7 +277,8 @@
+ } else {
+ size_t dataofs = o + 8;
+ if (s > 4) dataofs = exif_get_long (buf + dataofs, n->order) + 6;
+- if ((dataofs + s < s) || (dataofs + s < dataofs) || (dataofs + s > buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (ne->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteCanon",
+ "Tag data past end of buffer (%u > %u)",
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -28,6 +28,8 @@
+
+ #include "exif-mnote-data-fuji.h"
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ struct _MNoteFujiDataPrivate {
+ ExifByteOrder order;
+ };
+@@ -162,16 +164,16 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 12 < datao) || (datao + 12 < 12) || (datao + 12 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ return;
+ }
+
+ n->order = EXIF_BYTE_ORDER_INTEL;
++
+ datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL);
+- if ((datao + 2 < datao) || (datao + 2 < 2) ||
+- (datao + 2 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 2)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ return;
+@@ -195,7 +197,8 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+ break;
+@@ -210,6 +213,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_fuji_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteDataFuji", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -221,8 +234,8 @@
+ if (s > 4)
+ /* The data in this case is merely a pointer */
+ dataofs = exif_get_long (buf + dataofs, n->order) + 6 + n->offset;
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s >= buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Tag data past end of "
+ "buffer (%u >= %u)", dataofs + s, buf_size);
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -37,6 +37,8 @@
+ */
+ /*#define EXIF_OVERCOME_SANYO_OFFSET_BUG */
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static enum OlympusVersion
+ exif_mnote_data_olympus_identify_variant (const unsigned char *buf,
+ unsigned int buf_size);
+@@ -247,7 +249,7 @@
+ return;
+ }
+ o2 = 6 + n->offset; /* Start of interesting data */
+- if ((o2 + 10 < o2) || (o2 + 10 < 10) || (o2 + 10 > buf_size)) {
++ if (CHECKOVERFLOW(o2,buf_size,10)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataOlympus", "Short MakerNote");
+ return;
+@@ -303,6 +305,7 @@
+ /* Olympus S760, S770 */
+ datao = o2;
+ o2 += 8;
++ if (CHECKOVERFLOW(o2,buf_size,4)) return;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Parsing Olympus maker note v2 (0x%02x, %02x, %02x, %02x)...",
+ buf[o2], buf[o2 + 1], buf[o2 + 2], buf[o2 + 3]);
+@@ -346,7 +349,7 @@
+
+ case nikonV2:
+ o2 += 6;
+- if (o2 >= buf_size) return;
++ if (CHECKOVERFLOW(o2,buf_size,4)) return;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, "
+ "%02x, %02x, %02x, %02x, %02x)...",
+@@ -406,7 +409,7 @@
+ }
+
+ /* Sanity check the offset */
+- if ((o2 + 2 < o2) || (o2 + 2 < 2) || (o2 + 2 > buf_size)) {
++ if (CHECKOVERFLOW(o2,buf_size,2)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+ return;
+@@ -430,7 +433,7 @@
+ tcount = 0;
+ for (i = c, o = o2; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+ break;
+@@ -451,6 +454,15 @@
+ n->entries[tcount].components,
+ (int)exif_format_get_size(n->entries[tcount].format)); */
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if (exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ continue;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -469,7 +481,7 @@
+ * tag in its MakerNote. The offset is actually the absolute
+ * position in the file instead of the position within the IFD.
+ */
+- if (dataofs + s > buf_size && n->version == sanyoV1) {
++ if (dataofs > (buf_size - s) && n->version == sanyoV1) {
+ /* fix pointer */
+ dataofs -= datao + 6;
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+@@ -478,8 +490,7 @@
+ }
+ #endif
+ }
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s > buf_size)) {
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteOlympus",
+ "Tag data past end of buffer (%u > %u)",
+--- a/libexif/pentax/exif-mnote-data-pentax.c
++++ b/libexif/pentax/exif-mnote-data-pentax.c
+@@ -28,6 +28,8 @@
+ #include <libexif/exif-byte-order.h>
+ #include <libexif/exif-utils.h>
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static void
+ exif_mnote_data_pentax_clear (ExifMnoteDataPentax *n)
+ {
+@@ -224,7 +226,7 @@
+ return;
+ }
+ datao = 6 + n->offset;
+- if ((datao + 8 < datao) || (datao + 8 < 8) || (datao + 8 > buf_size)) {
++ if (CHECKOVERFLOW(datao, buf_size, 8)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
+ return;
+@@ -277,7 +279,8 @@
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
++
++ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
+ break;
+@@ -292,6 +295,16 @@
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_pentax_tag_get_name (n->entries[tcount].tag));
+
++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
++ * we will check the buffer sizes closer later. */
++ if ( exif_format_get_size (n->entries[tcount].format) &&
++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
++ ) {
++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteDataPentax", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
++ break;
++ }
++
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+@@ -304,8 +317,8 @@
+ if (s > 4)
+ /* The data in this case is merely a pointer */
+ dataofs = exif_get_long (buf + dataofs, n->order) + 6;
+- if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+- (dataofs + s > buf_size)) {
++
++ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (en->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteDataPentax", "Tag data past end "
+ "of buffer (%u > %u)", dataofs + s, buf_size);
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13113.patch libexif-0.6.21/debian/patches/cve-2020-13113.patch
--- libexif-0.6.21/debian/patches/cve-2020-13113.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13113.patch 2020-05-25 11:28:10.000000000 +0000
@@ -0,0 +1,52 @@
+Description: Ensure the MakerNote data pointers are initialized with NULL (CVE-2020-13113)
+ This ensures that an uninitialized pointer isn't dereferenced later in the
+ case where the number of components (and therefore size) is 0.
+ .
+ This fixes the second issue reported at https://sourceforge.net/p/libexif/bugs/125/
+Origin: commit:ec412aa4583ad71ecabb967d3c77162760169d1f
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-23
+
+---
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -236,6 +236,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
+ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -198,6 +198,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Short MakerNote");
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -433,6 +433,8 @@
+ tcount = 0;
+ for (i = c, o = o2; i; --i, o += 12) {
+ size_t s;
++
++ memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
+ if (CHECKOVERFLOW(o, buf_size, 12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteOlympus", "Short MakerNote");
+--- a/libexif/pentax/exif-mnote-data-pentax.c
++++ b/libexif/pentax/exif-mnote-data-pentax.c
+@@ -280,6 +280,7 @@
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
++ memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
+ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Short MakerNote");
diff -Nru libexif-0.6.21/debian/patches/cve-2020-13114.patch libexif-0.6.21/debian/patches/cve-2020-13114.patch
--- libexif-0.6.21/debian/patches/cve-2020-13114.patch 1970-01-01 00:00:00.000000000 +0000
+++ libexif-0.6.21/debian/patches/cve-2020-13114.patch 2020-05-25 11:28:10.000000000 +0000
@@ -0,0 +1,63 @@
+Description: Add a failsafe on the maximum number of Canon MakerNote subtags (CVE-2020-13114)
+ A malicious file could be crafted to cause extremely large values in some
+ tags without tripping any buffer range checks. This is bad with the libexif
+ representation of Canon MakerNotes because some arrays are turned into
+ individual tags that the application must loop around.
+ .
+ The largest value I've seen for failsafe_size in a (very small) sample of valid
+ Canon files is <5000. The limit is set two orders of magnitude larger to avoid
+ tripping up falsely in case some models use much larger values.
+ .
+ Patch from Google.
+Origin: commit:e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-05-24
+
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -34,6 +34,9 @@
+
+ #define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -204,6 +207,7 @@
+ ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ ExifShort c;
+ size_t i, tcount, o, datao;
++ long failsafe_size = 0;
+
+ if (!n || !buf || !buf_size) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -295,6 +299,23 @@
+ memcpy (n->entries[tcount].data, buf + dataofs, s);
+ }
+
++ /* Track the size of decoded tag data. A malicious file could
++ * be crafted to cause extremely large values here without
++ * tripping any buffer range checks. This is especially bad
++ * with the libexif representation of Canon MakerNotes because
++ * some arrays are turned into individual tags that the
++ * application must loop around. */
++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++ if (failsafe_size > FAILSAFE_SIZE_MAX) {
++ /* Abort if the total size of the data in the tags extraordinarily large, */
++ exif_mem_free (ne->mem, n->entries[tcount].data);
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++ failsafe_size, FAILSAFE_SIZE_MAX);
++ break;
++ }
++
+ /* Tag was successfully parsed */
+ ++tcount;
+ }
diff -Nru libexif-0.6.21/debian/patches/extra_colorspace_check libexif-0.6.21/debian/patches/extra_colorspace_check
--- libexif-0.6.21/debian/patches/extra_colorspace_check 2020-02-01 20:54:38.000000000 +0000
+++ libexif-0.6.21/debian/patches/extra_colorspace_check 2020-05-21 09:22:16.000000000 +0000
@@ -5,7 +5,7 @@
Last-Update: 2011-04-11
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
-@@ -1317,7 +1317,7 @@
+@@ -1318,7 +1318,7 @@
/* Find the value */
for (j = 0; list2[i].elem[j].values[0] &&
(list2[i].elem[j].index < v_short); j++);
diff -Nru libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch
--- libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 2020-02-01 20:54:38.000000000 +0000
+++ libexif-0.6.21/debian/patches/fix-CVE-2019-9278.patch 2020-05-21 09:22:20.000000000 +0000
@@ -16,11 +16,9 @@
libexif/exif-data.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index a6f9c94f2fc2..6332cd1ae3b0 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
-@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
+@@ -192,9 +192,15 @@
doff = offset + 8;
/* Sanity checks */
@@ -38,7 +36,7 @@
return 0;
}
-@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+@@ -317,13 +323,14 @@
unsigned int ds, ExifLong o, ExifLong s)
{
/* Sanity checks */
@@ -58,7 +56,7 @@
if (data->data)
exif_mem_free (data->priv->mem, data->data);
if (!(data->data = exif_data_alloc (data, s))) {
-@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -940,7 +947,7 @@
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 0 at %i.", (int) offset);
@@ -67,7 +65,7 @@
if (offset > ds || offset + 6 + 2 > ds)
return;
-@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -949,6 +956,7 @@
/* IFD 1 offset */
n = exif_get_short (d + 6 + offset, data->priv->order);
@@ -75,7 +73,7 @@
if (offset + 6 + 2 + 12 * n + 4 > ds)
return;
-@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+@@ -957,8 +965,8 @@
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 1 at %i.", (int) offset);
@@ -86,6 +84,3 @@
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifData", "Bogus offset of IFD1.");
} else {
---
-2.25.0
-
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series 2020-02-01 20:54:38.000000000 +0000
+++ libexif-0.6.21/debian/patches/series 2020-05-25 11:28:10.000000000 +0000
@@ -1,3 +1,11 @@
+cve-2020-12767.patch
+cve-2020-0093.patch
+cve-2018-20030.patch
+cve-2017-7544.patch
+cve-2016-6328.patch
pkg_config_header_dir
extra_colorspace_check
fix-CVE-2019-9278.patch
+cve-2020-13112.patch
+cve-2020-13113.patch
+cve-2020-13114.patch
--- End Message ---