Skip to content
Snippets Groups Projects
Unverified Commit b1cf58a3 authored by Anna Wilcox's avatar Anna Wilcox :fox:
Browse files

user/exiv2: fix CVE-2018-19535

parent 6f313d7c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
user/exiv2/APKBUILD
+ 8
2
View file @ b1cf58a3
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=exiv2
pkgver=0.26
pkgrel=1
pkgrel=2
pkgdesc="Exif, IPTC and XMP metadata library and tools"
url="http://www.exiv2.org"
arch="all"
......@@ -14,9 +14,14 @@ subpackages="$pkgname-dev $pkgname-doc"
source="http://www.exiv2.org/builds/exiv2-$pkgver-trunk.tar.gz
0000-pthread-init-fix.patch
0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
CVE-2018-19535.patch
"
builddir="$srcdir"/exiv2-trunk
# secfixes:
# 0.26-r2:
# - CVE-2018-19535
prepare() {
cd "$builddir"
default_prepare
......@@ -38,4 +43,5 @@ package() {
sha512sums="d1e9cab886e279b045768dd9ec781f07d2d36d573119403d0b76dc571442173aae6972f86ec55c3ea53fb3ee9ca3571eb8fd63a2a6643a970852813e88634a86 exiv2-0.26-trunk.tar.gz
9721d359708c385be7c86a8f8a63de43b05b2578a29b4339861e82873aa81a98a7ee7252847b6c55529341187d40f552c488589b416fd9d1e27418925929c018 0000-pthread-init-fix.patch
485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch"
485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
ac145a9b4df21e7f5fdd3099e6ae4c1e12ae2cdccc455d0262c5d38b8e07ce6437036a19264bd04b1cb1fffd01d89672044ca82fddd5e71dcd0d84d48356ab12 CVE-2018-19535.patch"
user/exiv2/CVE-2018-19535.patch 0 → 100644
+ 239
0
View file @ b1cf58a3
From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Sun, 2 Sep 2018 14:39:52 +0200
Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile
- Now it takes into account text.size_ when searching for a newline
char.
---
src/pngchunk.cpp | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 58281b3ff..755872c94 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -629,11 +629,19 @@ namespace Exiv2 {
sp = (char*)text.pData_+1;
+ int pointerPos = 1;
// Look for newline
-
- while (*sp != '\n')
+ while (*sp != '\n' && pointerPos < (text.size_ - 1))
+ {
sp++;
+ pointerPos++;
+ }
+
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
// Look for length
From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Mon, 3 Sep 2018 08:51:08 +0200
Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile
---
src/pngchunk.cpp | 36 +++++++++++++-----------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 755872c94..9b3faf1aa 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -606,11 +606,6 @@ namespace Exiv2 {
DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
{
DataBuf info;
- register long i;
- register unsigned char *dp;
- const char *sp;
- unsigned int nibbles;
- long length;
unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@@ -627,8 +622,7 @@ namespace Exiv2 {
return info;
}
-
- sp = (char*)text.pData_+1;
+ const char *sp = (char*)text.pData_+1;
int pointerPos = 1;
// Look for newline
@@ -638,20 +632,30 @@ namespace Exiv2 {
pointerPos++;
}
+ // Look for length
+ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+ {
+ sp++;
+ pointerPos++;
+ }
+
if (pointerPos == (text.size_ - 1))
{
return DataBuf();
}
- // Look for length
+ long length = (long) atol(sp);
- while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+ {
sp++;
+ pointerPos++;
+ }
- length = (long) atol(sp);
-
- while (*sp != ' ' && *sp != '\n')
- sp++;
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
// Allocate space
@@ -674,10 +678,10 @@ namespace Exiv2 {
// Copy profile, skipping white space and column 1 "=" signs
- dp = (unsigned char*)info.pData_;
- nibbles = length * 2;
+ unsigned char *dp = (unsigned char*)info.pData_;
+ unsigned int nibbles = length * 2;
- for (i = 0; i < (long) nibbles; i++)
+ for (long i = 0; i < (long) nibbles; i++)
{
while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
{
From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001
From: Robin Mills <robin@clanmills.com>
Date: Mon, 10 Sep 2018 20:54:53 +0200
Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile
---
src/pngchunk.cpp | 55 ++++++++++++++++++++++----------------------
1 file changed, 27 insertions(+), 28 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 9b3faf1aa..f81b560aa 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -607,11 +607,11 @@ namespace Exiv2 {
{
DataBuf info;
unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
- 13,14,15};
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
+ 13,14,15};
if (text.size_ == 0) {
return DataBuf();
}
@@ -622,52 +622,51 @@ namespace Exiv2 {
return info;
}
- const char *sp = (char*)text.pData_+1;
- int pointerPos = 1;
+ const char *sp = (char*) text.pData_+1; // current byte (space pointer)
+ const char *eot = (char*) text.pData_+text.size_; // end of text
// Look for newline
- while (*sp != '\n' && pointerPos < (text.size_ - 1))
+ while (*sp != '\n' && sp < eot )
{
sp++;
- pointerPos++;
+ if ( sp == eot )
+ {
+ return DataBuf();
+ }
}
+ sp++ ; // step over '\n'
// Look for length
- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
{
sp++;
- pointerPos++;
- }
-
- if (pointerPos == (text.size_ - 1))
- {
- return DataBuf();
+ if (sp == eot )
+ {
+ return DataBuf();
+ }
}
- long length = (long) atol(sp);
-
- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+ const char* startOfLength = sp;
+ while ( ('0' <= *sp && *sp <= '9') && sp < eot)
{
sp++;
- pointerPos++;
+ if (sp == eot )
+ {
+ return DataBuf();
+ }
}
+ sp++ ; // step over '\n'
- if (pointerPos == (text.size_ - 1))
- {
- return DataBuf();
- }
+ long length = (long) atol(startOfLength);
// Allocate space
-
if (length == 0)
{
#ifdef DEBUG
std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n";
#endif
}
-
info.alloc(length);
-
if (info.size_ != length)
{
#ifdef DEBUG
@@ -678,7 +677,7 @@ namespace Exiv2 {
// Copy profile, skipping white space and column 1 "=" signs
- unsigned char *dp = (unsigned char*)info.pData_;
+ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer
unsigned int nibbles = length * 2;
for (long i = 0; i < (long) nibbles; i++)
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment