summary refs log tree commit diff
path: root/gnu/packages/patches/exiv2-CVE-2017-14860.patch
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-10-26 22:58:28 +0200
committerMarius Bakke <mbakke@fastmail.com>2017-10-27 00:50:09 +0200
commit4119376d66f2016dd60e5da6b36d90894b6a74f4 (patch)
treec73fcc6714130eb51fb03feb314433673609ca1e /gnu/packages/patches/exiv2-CVE-2017-14860.patch
parentba2cd6c2d8f40bc4d3fb91dd4c6ea05b8a586dec (diff)
downloadguix-4119376d66f2016dd60e5da6b36d90894b6a74f4.tar.gz
gnu: exiv2: Add upstream security fixes.
Fixes CVE-2017-14859, CVE-2017-14860, CVE-2017-14862 and CVE-2017-14864.

* gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch,
gnu/packages/patches/exiv2-CVE-2017-14860.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/image.scm (exiv2)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/exiv2-CVE-2017-14860.patch')
-rw-r--r--gnu/packages/patches/exiv2-CVE-2017-14860.patch48
1 files changed, 48 insertions, 0 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
new file mode 100644
index 0000000000..43e6076b71
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-14860.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
+https://nvd.nist.gov/vuln/detail/CVE-2017-14860
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
+
+From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Fri, 6 Oct 2017 23:09:08 +0200
+Subject: [PATCH] Fix for CVE-2017-14860
+
+A heap buffer overflow could occur in memcpy when icc.size_ is larger
+than data.size_ - pad, as then memcpy would read out of bounds of data.
+
+This commit adds a sanity check to iccLength (= icc.size_): if it is
+larger than data.size_ - pad (i.e. an overflow would be caused) an
+exception is thrown.
+
+This fixes #71.
+---
+ src/jp2image.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 747145cf..748d39b5 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -269,10 +269,15 @@ namespace Exiv2
+                             std::cout << "Exiv2::Jp2Image::readMetadata: "
+                                      << "Color data found" << std::endl;
+ #endif
+-                            long pad = 3 ; // 3 padding bytes 2 0 0
++                            const long pad = 3 ; // 3 padding bytes 2 0 0
+                             DataBuf data(subBox.length+8);
+                             io_->read(data.pData_,data.size_);
+-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            // subtracting pad from data.size_ is safe:
++                            // size_ is at least 8 and pad = 3
++                            if (iccLength > data.size_ - pad) {
++                                throw Error(58);
++			    }
+                             DataBuf icc(iccLength);
+                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
+ #ifdef DEBUG