GNU bug report logs - #29019
[PATCH] gnu: exiv2: Add upstream security fixes.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29019 in the body.
You can then email your comments to 29019 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: exiv2: Add upstream security fixes.
Date: Thu, 26 Oct 2017 23:45:06 +0200

Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864.

* gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch,
gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/image.scm (exiv2)[source]: Use them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  2 +
 .../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ++++++++++++++++++++++
 gnu/packages/patches/exiv2-CVE-2017-14860.patch    | 48 ++++++++++++++++
 4 files changed, 118 insertions(+)
 create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
 create mode 100644 gnu/packages/patches/exiv2-CVE-2017-14860.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f318bcd49..cd683361d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -605,6 +605,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
   %D%/packages/patches/exim-CVE-2017-1000369.patch		\
+  %D%/packages/patches/exiv2-CVE-2017-14860.patch		\
+  %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch	\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
   %D%/packages/patches/fasthenry-spAllocate.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index b53247de8..df8ac67e4 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -866,6 +866,8 @@ channels.")
                                        version ".tar.gz")
                         (string-append "https://fossies.org/linux/misc/exiv2-"
                                        version ".tar.gz")))
+             (patches (search-patches "exiv2-CVE-2017-14860.patch"
+                                      "exiv2-CVE-2017-14859-14862-14864.patch"))
              (sha256
               (base32
                "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
new file mode 100644
index 000000000..69e65aeb6
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
@@ -0,0 +1,66 @@
+Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607
+
+From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak <at> cgc-instruments.com>
+Date: Sat, 7 Oct 2017 23:08:36 +0200
+Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859
+
+The invalid memory dereference in
+Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
+is caused further up the call-stack, by
+v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
+passing an invalid pData pointer (pData points outside of the Tiff
+file). pData can be set out of bounds in the (size > 4) branch where
+baseOffset() and offset are added to pData_ without checking whether
+the result is still in the file. As offset comes from an untrusted
+source, an attacker can craft an arbitrarily large offset into the
+file.
+
+This commit adds a check into the problematic branch, whether the
+result of the addition would be out of bounds of the Tiff
+file. Furthermore the whole operation is checked for possible
+overflows.
+---
+ src/tiffvisitor.cpp | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
+index 4ab733d4..ef13542e 100644
+--- a/src/tiffvisitor.cpp
++++ b/src/tiffvisitor.cpp
+@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include <iostream>
+ #include <iomanip>
+ #include <cassert>
++#include <limits>
+ 
+ // *****************************************************************************
+ namespace {
+@@ -1517,7 +1518,19 @@ namespace Exiv2 {
+                 size = 0;
+         }
+         if (size > 4) {
++            // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
++            // as offset can be arbitrarily large
++            if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
++             || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
++            {
++                throw Error(59);
++            }
++            if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
++                throw Error(58);
++            }
+             pData = const_cast<byte*>(pData_) + baseOffset() + offset;
++
++	    // check for size being invalid
+             if (size > static_cast<uint32_t>(pLast_ - pData)) {
+ #ifndef SUPPRESS_WARNINGS
+                 EXV_ERROR << "Upper boundary of data for "
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
new file mode 100644
index 000000000..43e6076b7
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-14860.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
+https://nvd.nist.gov/vuln/detail/CVE-2017-14860
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
+
+From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak <at> cgc-instruments.com>
+Date: Fri, 6 Oct 2017 23:09:08 +0200
+Subject: [PATCH] Fix for CVE-2017-14860
+
+A heap buffer overflow could occur in memcpy when icc.size_ is larger
+than data.size_ - pad, as then memcpy would read out of bounds of data.
+
+This commit adds a sanity check to iccLength (= icc.size_): if it is
+larger than data.size_ - pad (i.e. an overflow would be caused) an
+exception is thrown.
+
+This fixes #71.
+---
+ src/jp2image.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 747145cf..748d39b5 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -269,10 +269,15 @@ namespace Exiv2
+                             std::cout << "Exiv2::Jp2Image::readMetadata: "
+                                      << "Color data found" << std::endl;
+ #endif
+-                            long pad = 3 ; // 3 padding bytes 2 0 0
++                            const long pad = 3 ; // 3 padding bytes 2 0 0
+                             DataBuf data(subBox.length+8);
+                             io_->read(data.pData_,data.size_);
+-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            // subtracting pad from data.size_ is safe:
++                            // size_ is at least 8 and pad = 3
++                            if (iccLength > data.size_ - pad) {
++                                throw Error(58);
++			    }
+                             DataBuf icc(iccLength);
+                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
+ #ifdef DEBUG
-- 
2.14.3

Message #8 received at 29019 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 29019 <at> debbugs.gnu.org
Subject: Re: [bug#29019] [PATCH] gnu: exiv2: Add upstream security fixes.
Date: Thu, 26 Oct 2017 15:42:56 -0700

Marius Bakke <mbakke <at> fastmail.com> skribis:

> Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864.
>
> * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch,
> gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.
> * gnu/packages/image.scm (exiv2)[source]: Use them.

Looks reasonable to me, thank you!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.