--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libexif/0.6.21-5.1+deb10u2
- From: Hugh McMaster <hugh.mcmaster@outlook.com>
- Date: Tue, 19 May 2020 22:26:54 +1000
- Message-id: <158989121401.105251.10269768651732309458.reportbug@debian.Home>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
libexif 0.6.21-5.1+deb10u1 has two open security vulnerabilities:
CVE-2020-12767 and CVE-2020-0093.
The attached debdiff contains fixes for these vulnerabilities, which are
divide-by-zero and buffer read overflow issues.
Fixing these issues in Buster would be good.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-02 07:43:18.000000000 +1100
+++ libexif-0.6.21/debian/changelog 2020-05-19 19:20:03.000000000 +1000
@@ -1,3 +1,13 @@
+libexif (0.6.21-5.1+deb10u2) buster; urgency=medium
+
+ * Team upload.
+ * Add upstream patches to fix two security issues:
+ - cve-2020-12767.patch: Prevent some possible division-by-zero errors
+ in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+ - cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Tue, 19 May 2020 19:20:03 +1000
+
libexif (0.6.21-5.1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0093.patch libexif-0.6.21/debian/patches/cve-2020-0093.patch
--- libexif-0.6.21/debian/patches/cve-2020-0093.patch 1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0093.patch 2020-05-19 19:20:03.000000000 +1000
@@ -0,0 +1,24 @@
+Description: Fix read buffer overflow (CVE-2020-0093)
+ Ensure the number of bytes being copied does not exceed the source buffer size.
+Origin: commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug: https://github.com/libexif/libexif/issues/42
+Last-Update: 2020-05-17
+
+---
+ libexif/exif-data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -295,7 +295,9 @@
+ /* Write the data. Fill unneeded bytes with 0. Do not crash with
+ * e->data is NULL */
+ if (e->data) {
+- memcpy (*d + 6 + doff, e->data, s);
++ unsigned int len = s;
++ if (e->size < s) len = e->size;
++ memcpy (*d + 6 + doff, e->data, len);
+ } else {
+ memset (*d + 6 + doff, 0, s);
+ }
diff -Nru libexif-0.6.21/debian/patches/cve-2020-12767.patch libexif-0.6.21/debian/patches/cve-2020-12767.patch
--- libexif-0.6.21/debian/patches/cve-2020-12767.patch 1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-12767.patch 2020-05-19 19:20:03.000000000 +1000
@@ -0,0 +1,34 @@
+Description: Prevent some possible division-by-zero errors in exif_entry_get_value()
+Origin: commit:e22f73064f804c94e90b642cd0db4697c827da72
+Author: orangesnn <52818007+orangesnn@users.noreply.github.com>
+Bug: https://github.com/libexif/libexif/issues/31
+Bug-Debian: https://bugs.debian.org/960199
+Last-Update: 2020-05-13
+
+---
+ libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@
+ break;
+ }
+ d = (double) v_rat.numerator / (double) v_rat.denominator;
+- if (d < 1)
++ if (d < 1 && d)
+ snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ else
+ snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@
+ }
+ d = (double) v_srat.numerator / (double) v_srat.denominator;
+ snprintf (val, maxlen, _("%.02f EV"), d);
+- d = 1. / pow (2, d);
+- if (d < 1)
++ if (pow (2, d))
++ d = 1. / pow (2, d);
++ if (d < 1 && d)
+ snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ else
+ snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series 2020-02-02 07:43:18.000000000 +1100
+++ libexif-0.6.21/debian/patches/series 2020-05-19 19:20:03.000000000 +1000
@@ -1,3 +1,5 @@
+cve-2020-0093.patch
+cve-2020-12767.patch
add-am_prog_ar.patch
ac_lang_source-macro.patch
pkg_config_header_dir.patch
--- End Message ---