From ccb5cac17be98aaa9c3225605d6170c675d8e8e6 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 Jan 2018 17:49:02 -0800 Subject: [PATCH] gnu: libexif: Fix CVE-2016-6328. * gnu/packages/patches/libexif-CVE-2016-6328.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/photo.scm (libexif)[source]: Use it. --- gnu/local.mk | 1 + .../patches/libexif-CVE-2016-6328.patch | 72 +++++++++++++++++++ gnu/packages/photo.scm | 3 +- 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libexif-CVE-2016-6328.patch diff --git a/gnu/local.mk b/gnu/local.mk index 855d9ca460..240554fe4e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -817,6 +817,7 @@ dist_patch_DATA = \ %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch \ %D%/packages/patches/libevent-2.1-dns-tests.patch \ %D%/packages/patches/libevent-2.1-skip-failing-test.patch \ + %D%/packages/patches/libexif-CVE-2016-6328.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ %D%/packages/patches/libgit2-0.25.1-mtime-0.patch \ %D%/packages/patches/libgdata-fix-tests.patch \ diff --git a/gnu/packages/patches/libexif-CVE-2016-6328.patch b/gnu/packages/patches/libexif-CVE-2016-6328.patch new file mode 100644 index 0000000000..67fee0f528 --- /dev/null +++ b/gnu/packages/patches/libexif-CVE-2016-6328.patch @@ -0,0 +1,72 @@ +Fix CVE-2016-6328: + +https://bugzilla.redhat.com/show_bug.cgi?id=1366239 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328 + +Patch copied from upstream source repository: + +https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d + +From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Tue, 25 Jul 2017 23:44:44 +0200 +Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax + makernote entries. + +This should fix: +https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 +--- + libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c +index d03d159..ea0429a 100644 +--- a/libexif/pentax/mnote-pentax-entry.c ++++ b/libexif/pentax/mnote-pentax-entry.c +@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + case EXIF_FORMAT_SHORT: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; kcomponents; k++) { ++ if (sizeleft < 2) ++ break; + vs = exif_get_short (data, entry->order); + snprintf (val+len, maxlen-len, "%i ", vs); + len = strlen(val); + data += 2; ++ sizeleft -= 2; + } + } + break; + case EXIF_FORMAT_LONG: + { + const unsigned char *data = entry->data; +- size_t k, len = strlen(val); ++ size_t k, len = strlen(val), sizeleft; ++ ++ sizeleft = entry->size; + for(k=0; kcomponents; k++) { ++ if (sizeleft < 4) ++ break; + vl = exif_get_long (data, entry->order); + snprintf (val+len, maxlen-len, "%li", (long int) vl); + len = strlen(val); + data += 4; ++ sizeleft -= 4; + } + } + break; +@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + break; + } + +- return (val); ++ return val; + } +-- +2.16.0 + diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index e93e4651f3..d8a80acb36 100644 --- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -91,7 +91,8 @@ (define-public libexif (method url-fetch) (uri (string-append "mirror://sourceforge/libexif/libexif/" version "/libexif-" version ".tar.bz2")) - (patches (search-patches "libexif-CVE-2017-7544.patch")) + (patches (search-patches "libexif-CVE-2016-6328.patch" + "libexif-CVE-2017-7544.patch")) (sha256 (base32 "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"))))