--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libexif/0.6.21-5.1+deb10u4
- From: Hugh McMaster <hugh.mcmaster@outlook.com>
- Date: Thu, 25 Jun 2020 21:52:52 +1000
- Message-id: <159308597215.58723.14376694742215439305.reportbug@debian.Home>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release managers,
Two further security vulnerabilities were discovered in libexif, including
libexif 0.6.21-5.1+deb10u3.
This proposed update adds upstream patches to fix these vulnerabilities.
The package replaces the existing accepted version.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-05-25 22:01:18.000000000 +1000
+++ libexif-0.6.21/debian/changelog 2020-06-24 23:31:09.000000000 +1000
@@ -1,3 +1,12 @@
+libexif (0.6.21-5.1+deb10u4) buster; urgency=medium
+
+ * Add upstream patches to fix two security issues:
+ - Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182).
+ - Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198)
+ (Closes: #962345).
+
+ -- Hugh McMaster <hugh.mcmaster@outlook.com> Wed, 24 Jun 2020 23:31:09 +1000
+
libexif (0.6.21-5.1+deb10u3) buster; urgency=medium
* Add upstream patches to fix multiple security issues:
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0182.patch libexif-0.6.21/debian/patches/cve-2020-0182.patch
--- libexif-0.6.21/debian/patches/cve-2020-0182.patch 1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0182.patch 2020-06-24 23:27:49.000000000 +1000
@@ -0,0 +1,28 @@
+Description: Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182)
+ While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
+ the end of a heap buffer. This was detected by the OSS Fuzz project.
+Origin: commit:f9bb9f263fb00f0603ecbefa8957cad24168cbff
+Author: Dan Fandrich <dan@coneharvesters.com>
+Last-Update: 2020-06-13
+
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1043,12 +1043,12 @@
+ d = 0.;
+ entry = exif_content_get_entry (
+ e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
+- if (entry && entry->data &&
++ if (entry && entry->data && entry->size >= 7 &&
+ !strncmp ((char *)entry->data, "Minolta", 7)) {
+ entry = exif_content_get_entry (
+ e->parent->parent->ifd[EXIF_IFD_0],
+ EXIF_TAG_MODEL);
+- if (entry && entry->data) {
++ if (entry && entry->data && entry->size >= 8) {
+ if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
+ d = 3.9;
+ else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0198.patch libexif-0.6.21/debian/patches/cve-2020-0198.patch
--- libexif-0.6.21/debian/patches/cve-2020-0198.patch 1970-01-01 10:00:00.000000000 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0198.patch 2020-06-24 23:28:53.000000000 +1000
@@ -0,0 +1,52 @@
+Description: Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198)
+ Use a more generic overflow check method and also check the second overflow instance.
+Origin: commit:ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: https://bugs.debian.org/962345
+Last-Update: 2020-06-08
+
+---
+ libexif/exif-data.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+ return;
+ }
+- if (s > ds - o) {
++ if (CHECKOVERFLOW(o,ds,s)) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ return;
+ }
+@@ -420,9 +422,9 @@
+ }
+
+ /* Read the number of entries */
+- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
++ if (CHECKOVERFLOW(offset, ds, 2)) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+- "Tag data past end of buffer (%u > %u)", offset+2, ds);
++ "Tag data past end of buffer (%u+2 > %u)", offset, ds);
+ return;
+ }
+ n = exif_get_short (d + offset, data->priv->order);
+@@ -431,7 +433,7 @@
+ offset += 2;
+
+ /* Check if we have enough data. */
+- if (offset + 12 * n > ds) {
++ if (CHECKOVERFLOW(offset, ds, 12*n)) {
+ n = (ds - offset) / 12;
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "Short data; only loading %hu entries...", n);
diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series
--- libexif-0.6.21/debian/patches/series 2020-05-25 22:01:18.000000000 +1000
+++ libexif-0.6.21/debian/patches/series 2020-06-24 23:28:53.000000000 +1000
@@ -13,3 +13,5 @@
cve-2020-13112.patch
cve-2020-13113.patch
cve-2020-13114.patch
+cve-2020-0182.patch
+cve-2020-0198.patch
--- End Message ---