summary refs log tree commit diff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-01-19 17:49:02 -0800
committerLeo Famulari <leo@famulari.name>2018-01-19 17:51:00 -0800
commitccb5cac17be98aaa9c3225605d6170c675d8e8e6 (patch)
treef5edc746192152c97506347d5d0b38e27a6ba905
parente8409dd2754259e6478ebcba390738f832452191 (diff)
downloadguix-ccb5cac17be98aaa9c3225605d6170c675d8e8e6.tar.gz
gnu: libexif: Fix CVE-2016-6328.
* gnu/packages/patches/libexif-CVE-2016-6328.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/photo.scm (libexif)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/libexif-CVE-2016-6328.patch72
-rw-r--r--gnu/packages/photo.scm3
3 files changed, 75 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 855d9ca460..240554fe4e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -817,6 +817,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch	\
   %D%/packages/patches/libevent-2.1-dns-tests.patch		\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
+  %D%/packages/patches/libexif-CVE-2016-6328.patch		\
   %D%/packages/patches/libexif-CVE-2017-7544.patch		\
   %D%/packages/patches/libgit2-0.25.1-mtime-0.patch		\
   %D%/packages/patches/libgdata-fix-tests.patch			\
diff --git a/gnu/packages/patches/libexif-CVE-2016-6328.patch b/gnu/packages/patches/libexif-CVE-2016-6328.patch
new file mode 100644
index 0000000000..67fee0f528
--- /dev/null
+++ b/gnu/packages/patches/libexif-CVE-2016-6328.patch
@@ -0,0 +1,72 @@
+Fix CVE-2016-6328:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1366239
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
+
+Patch copied from upstream source repository:
+
+https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d
+
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
++++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 		break;
+ 	}
+ 
+-	return (val);
++	return val;
+ }
+-- 
+2.16.0
+
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index e93e4651f3..d8a80acb36 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -91,7 +91,8 @@ cameras (CRW/CR2, NEF, RAF, DNG, and others).")
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libexif/libexif/"
                                   version "/libexif-" version ".tar.bz2"))
-              (patches (search-patches "libexif-CVE-2017-7544.patch"))
+              (patches (search-patches "libexif-CVE-2016-6328.patch"
+                                       "libexif-CVE-2017-7544.patch"))
               (sha256
                (base32
                 "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"))))