[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961020: marked as done (stretch-pu: package libexif/0.6.21-2+deb9u2)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961020,
regarding stretch-pu: package libexif/0.6.21-2+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
961020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961020
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked
as "no DSA".

The attached debdiff fixes these vulnerabilities.

CVE-2020-12767 - division-by-zero errors
CVE-2020-0093  - read buffer overflow
CVE-2018-20030 - denial of service by wasting CPU
CVE-2017-7544  - out-of-bounds heap read
CVE-2016-6328  - integer overflow

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash

diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog	2020-02-02 07:54:38.000000000 +1100
+++ libexif-0.6.21/debian/changelog	2020-05-19 18:41:18.000000000 +1000
@@ -1,3 +1,19 @@
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+    - cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+      entry data of the input file (CVE-2016-6328) (Closes: #873022).
+    - cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+      exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+    - cve-2018-20030.patch: Improve deep recursion detection in the function
+      exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+    - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+      in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+    - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com>  Tue, 19 May 2020 19:40:10 +1000
+
 libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch	2020-05-19 18:36:53.000000000 +1000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2017-7544.patch libexif-0.6.21/debian/patches/cve-2017-7544.patch
--- libexif-0.6.21/debian/patches/cve-2017-7544.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2017-7544.patch	2020-05-19 18:39:10.000000000 +1000
@@ -0,0 +1,22 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff -Nru libexif-0.6.21/debian/patches/cve-2018-20030.patch libexif-0.6.21/debian/patches/cve-2018-20030.patch
--- libexif-0.6.21/debian/patches/cve-2018-20030.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2018-20030.patch	2020-05-19 18:39:20.000000000 +1000
@@ -0,0 +1,111 @@
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Fri, 12 Oct 2018 16:01:45 +0200
+Subject: Improve deep recursion detection in exif_data_load_data_content.
+Origin: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20030
+Bug-Debian: https://bugs.debian.org/918730
+
+The existing detection was still vulnerable to pathological cases
+causing DoS by wasting CPU. The new algorithm takes the number of tags
+into account to make it harder to abuse by cases using shallow recursion
+but with a very large number of tags.  This improves on commit 5d28011c
+which wasn't sufficient to counter this kind of case.
+
+The limitation in the previous fix was discovered by Laurent Delosieres,
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
+the identifier CVE-2018-20030.
+---
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+ 
++#include <math.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -344,6 +345,20 @@
+ 	break;						\
+ }
+ 
++/*! Calculate the recursion cost added by one level of IFD loading.
++ *
++ * The work performed is related to the cost in the exponential relation
++ *   work=1.1**cost
++ */
++static unsigned int
++level_cost(unsigned int n)
++{
++    static const double log_1_1 = 0.09531017980432493;
++
++	/* Adding 0.1 protects against the case where n==1 */
++	return ceil(log(n + 0.1)/log_1_1);
++}
++
+ /*! Load data for an IFD.
+  *
+  * \param[in,out] data #ExifData
+@@ -351,13 +366,13 @@
+  * \param[in] d pointer to buffer containing raw IFD data
+  * \param[in] ds size of raw data in buffer at \c d
+  * \param[in] offset offset into buffer at \c d at which IFD starts
+- * \param[in] recursion_depth number of times this function has been
+- * recursively called without returning
++ * \param[in] recursion_cost factor indicating how expensive this recursive
++ * call could be
+  */
+ static void
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 			     const unsigned char *d,
+-			     unsigned int ds, unsigned int offset, unsigned int recursion_depth)
++			     unsigned int ds, unsigned int offset, unsigned int recursion_cost)
+ {
+ 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ 	ExifShort n;
+@@ -372,9 +387,20 @@
+ 	if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
+ 	  return;
+ 
+-	if (recursion_depth > 30) {
++	if (recursion_cost > 170) {
++		/*
++		 * recursion_cost is a logarithmic-scale indicator of how expensive this
++		 * recursive call might end up being. It is an indicator of the depth of
++		 * recursion as well as the potential for worst-case future recursive
++		 * calls. Since it's difficult to tell ahead of time how often recursion
++		 * will occur, this assumes the worst by assuming every tag could end up
++		 * causing recursion.
++		 * The value of 170 was chosen to limit typical EXIF structures to a
++		 * recursive depth of about 6, but pathological ones (those with very
++		 * many tags) to only 2.
++		 */
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-			  "Deep recursion detected!");
++			  "Deep/expensive recursion detected!");
+ 		return;
+ 	}
+ 
+@@ -416,15 +442,18 @@
+ 			switch (tag) {
+ 			case EXIF_TAG_EXIF_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_EXIF);
+-				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_GPS);
+-				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+-				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
++				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
++					recursion_cost + level_cost(n));
+ 				break;
+ 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ 				thumbnail_offset = o;
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch	2020-05-19 18:39:22.000000000 +1000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
+ 	 * e->data is NULL */
+ 	if (e->data) {
+-		memcpy (*d + 6 + doff, e->data, s);
++		unsigned int len = s;
++		if (e->size < s) len = e->size;
++		memcpy (*d + 6 + doff, e->data, len);
+ 	} else {
+ 		memset (*d + 6 + doff, 0, s);
+ 	}
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch	1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch	2020-05-19 18:39:29.000000000 +1000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <52818007+orangesnn@users.noreply.github.com>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ 			break;
+ 		}
+ 		d = (double) v_rat.numerator / (double) v_rat.denominator;
+-		if (d < 1)
++		if (d < 1 && d)
+ 			snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ 		else
+ 			snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ 		}
+ 		d = (double) v_srat.numerator / (double) v_srat.denominator;
+ 		snprintf (val, maxlen, _("%.02f EV"), d);
+-		d = 1. / pow (2, d);
+-		if (d < 1)
++		if (pow (2, d))
++			d = 1. / pow (2, d);
++		if (d < 1 && d)
+ 		  snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ 		else
+ 		  snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series	2020-02-02 07:54:38.000000000 +1100
+++ libexif-0.6.21/debian/patches/series	2020-05-19 18:39:29.000000000 +1000
@@ -1,3 +1,8 @@
+cve-2020-12767.patch
+cve-2020-0093.patch
+cve-2018-20030.patch
+cve-2017-7544.patch
+cve-2016-6328.patch
 pkg_config_header_dir
 extra_colorspace_check
 fix-CVE-2019-9278.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: