From b1cf58a388a2e50046539ab680567ee15768bf75 Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Sat, 8 Dec 2018 17:30:59 +0000
Subject: [PATCH] user/exiv2: fix CVE-2018-19535
---
user/exiv2/APKBUILD | 10 +-
user/exiv2/CVE-2018-19535.patch | 239 ++++++++++++++++++++++++++++++++
2 files changed, 247 insertions(+), 2 deletions(-)
create mode 100644 user/exiv2/CVE-2018-19535.patch
diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index d9ced3064d..12c8c21c6b 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=exiv2
pkgver=0.26
-pkgrel=1
+pkgrel=2
pkgdesc="Exif, IPTC and XMP metadata library and tools"
url="http://www.exiv2.org"
arch="all"
@@ -14,9 +14,14 @@ subpackages="$pkgname-dev $pkgname-doc"
source="http://www.exiv2.org/builds/exiv2-$pkgver-trunk.tar.gz
0000-pthread-init-fix.patch
0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+ CVE-2018-19535.patch
"
builddir="$srcdir"/exiv2-trunk
+# secfixes:
+# 0.26-r2:
+# - CVE-2018-19535
+
prepare() {
cd "$builddir"
default_prepare
@@ -38,4 +43,5 @@ package() {
sha512sums="d1e9cab886e279b045768dd9ec781f07d2d36d573119403d0b76dc571442173aae6972f86ec55c3ea53fb3ee9ca3571eb8fd63a2a6643a970852813e88634a86 exiv2-0.26-trunk.tar.gz
9721d359708c385be7c86a8f8a63de43b05b2578a29b4339861e82873aa81a98a7ee7252847b6c55529341187d40f552c488589b416fd9d1e27418925929c018 0000-pthread-init-fix.patch
-485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch"
+485bd340169f69a3ce356e59e9138250cc14592f4477bb73827c799fe465535954469634fc58a1856f690f0e0b4171cba6fdd3391d43c0efc5e89652b93eb3ce 0001-Amend-fix-for-9-to-apply-to-other-Unix-systems.patch
+ac145a9b4df21e7f5fdd3099e6ae4c1e12ae2cdccc455d0262c5d38b8e07ce6437036a19264bd04b1cb1fffd01d89672044ca82fddd5e71dcd0d84d48356ab12 CVE-2018-19535.patch"
diff --git a/user/exiv2/CVE-2018-19535.patch b/user/exiv2/CVE-2018-19535.patch
new file mode 100644
index 0000000000..ba93550128
--- /dev/null
+++ b/user/exiv2/CVE-2018-19535.patch
@@ -0,0 +1,239 @@
+From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
+Date: Sun, 2 Sep 2018 14:39:52 +0200
+Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile
+
+- Now it takes into account text.size_ when searching for a newline
+char.
+---
+ src/pngchunk.cpp | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 58281b3ff..755872c94 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -629,11 +629,19 @@ namespace Exiv2 {
+
+
+ sp = (char*)text.pData_+1;
++ int pointerPos = 1;
+
+ // Look for newline
+-
+- while (*sp != '\n')
++ while (*sp != '\n' && pointerPos < (text.size_ - 1))
++ {
+ sp++;
++ pointerPos++;
++ }
++
++ if (pointerPos == (text.size_ - 1))
++ {
++ return DataBuf();
++ }
+
+ // Look for length
+
+
+From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
+Date: Mon, 3 Sep 2018 08:51:08 +0200
+Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile
+
+---
+ src/pngchunk.cpp | 36 +++++++++++++-----------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 755872c94..9b3faf1aa 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -606,11 +606,6 @@ namespace Exiv2 {
+ DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
+ {
+ DataBuf info;
+- register long i;
+- register unsigned char *dp;
+- const char *sp;
+- unsigned int nibbles;
+- long length;
+ unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+@@ -627,8 +622,7 @@ namespace Exiv2 {
+ return info;
+ }
+
+-
+- sp = (char*)text.pData_+1;
++ const char *sp = (char*)text.pData_+1;
+ int pointerPos = 1;
+
+ // Look for newline
+@@ -638,20 +632,30 @@ namespace Exiv2 {
+ pointerPos++;
+ }
+
++ // Look for length
++ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
++ {
++ sp++;
++ pointerPos++;
++ }
++
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
+
+- // Look for length
++ long length = (long) atol(sp);
+
+- while (*sp == '\0' || *sp == ' ' || *sp == '\n')
++ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
++ {
+ sp++;
++ pointerPos++;
++ }
+
+- length = (long) atol(sp);
+-
+- while (*sp != ' ' && *sp != '\n')
+- sp++;
++ if (pointerPos == (text.size_ - 1))
++ {
++ return DataBuf();
++ }
+
+ // Allocate space
+
+@@ -674,10 +678,10 @@ namespace Exiv2 {
+
+ // Copy profile, skipping white space and column 1 "=" signs
+
+- dp = (unsigned char*)info.pData_;
+- nibbles = length * 2;
++ unsigned char *dp = (unsigned char*)info.pData_;
++ unsigned int nibbles = length * 2;
+
+- for (i = 0; i < (long) nibbles; i++)
++ for (long i = 0; i < (long) nibbles; i++)
+ {
+ while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
+ {
+
+From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 10 Sep 2018 20:54:53 +0200
+Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile
+
+---
+ src/pngchunk.cpp | 55 ++++++++++++++++++++++----------------------
+ 1 file changed, 27 insertions(+), 28 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 9b3faf1aa..f81b560aa 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -607,11 +607,11 @@ namespace Exiv2 {
+ {
+ DataBuf info;
+ unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
+- 13,14,15};
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
++ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
++ 13,14,15};
+ if (text.size_ == 0) {
+ return DataBuf();
+ }
+@@ -622,52 +622,51 @@ namespace Exiv2 {
+ return info;
+ }
+
+- const char *sp = (char*)text.pData_+1;
+- int pointerPos = 1;
++ const char *sp = (char*) text.pData_+1; // current byte (space pointer)
++ const char *eot = (char*) text.pData_+text.size_; // end of text
+
+ // Look for newline
+- while (*sp != '\n' && pointerPos < (text.size_ - 1))
++ while (*sp != '\n' && sp < eot )
+ {
+ sp++;
+- pointerPos++;
++ if ( sp == eot )
++ {
++ return DataBuf();
++ }
+ }
++ sp++ ; // step over '\n'
+
+ // Look for length
+- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
++ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
+ {
+ sp++;
+- pointerPos++;
+- }
+-
+- if (pointerPos == (text.size_ - 1))
+- {
+- return DataBuf();
++ if (sp == eot )
++ {
++ return DataBuf();
++ }
+ }
+
+- long length = (long) atol(sp);
+-
+- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
++ const char* startOfLength = sp;
++ while ( ('0' <= *sp && *sp <= '9') && sp < eot)
+ {
+ sp++;
+- pointerPos++;
++ if (sp == eot )
++ {
++ return DataBuf();
++ }
+ }
++ sp++ ; // step over '\n'
+
+- if (pointerPos == (text.size_ - 1))
+- {
+- return DataBuf();
+- }
++ long length = (long) atol(startOfLength);
+
+ // Allocate space
+-
+ if (length == 0)
+ {
+ #ifdef DEBUG
+ std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n";
+ #endif
+ }
+-
+ info.alloc(length);
+-
+ if (info.size_ != length)
+ {
+ #ifdef DEBUG
+@@ -678,7 +677,7 @@ namespace Exiv2 {
+
+ // Copy profile, skipping white space and column 1 "=" signs
+
+- unsigned char *dp = (unsigned char*)info.pData_;
++ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer
+ unsigned int nibbles = length * 2;
+
+ for (long i = 0; i < (long) nibbles; i++)
+
--
GitLab