1 |
commit: bcce9fb0f933198672777469411dd4774bb39ba3 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Mar 4 18:18:27 2019 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 4 18:18:46 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcce9fb0 |
7 |
|
8 |
media-libs/libexif: rev bump to fix CVE-2018-20030 |
9 |
|
10 |
While here, fix C89 compatibility issue, too. |
11 |
|
12 |
Bug: https://bugs.gentoo.org/679418 |
13 |
Package-Manager: Portage-2.3.62, Repoman-2.3.12 |
14 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
15 |
|
16 |
.../files/libexif-0.6.21-CVE-2018-20030.patch | 117 +++++++++++++++++++++ |
17 |
...ibexif-0.6.21-fix-C89-compatibility-issue.patch | 30 ++++++ |
18 |
media-libs/libexif/libexif-0.6.21-r3.ebuild | 52 +++++++++ |
19 |
3 files changed, 199 insertions(+) |
20 |
|
21 |
diff --git a/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch b/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch |
22 |
new file mode 100644 |
23 |
index 00000000000..08179f84b50 |
24 |
--- /dev/null |
25 |
+++ b/media-libs/libexif/files/libexif-0.6.21-CVE-2018-20030.patch |
26 |
@@ -0,0 +1,117 @@ |
27 |
+From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 |
28 |
+From: Dan Fandrich <dan@××××××××××××××.com> |
29 |
+Date: Fri, 12 Oct 2018 16:01:45 +0200 |
30 |
+Subject: [PATCH] Improve deep recursion detection in |
31 |
+ exif_data_load_data_content. |
32 |
+ |
33 |
+The existing detection was still vulnerable to pathological cases |
34 |
+causing DoS by wasting CPU. The new algorithm takes the number of tags |
35 |
+into account to make it harder to abuse by cases using shallow recursion |
36 |
+but with a very large number of tags. This improves on commit 5d28011c |
37 |
+which wasn't sufficient to counter this kind of case. |
38 |
+ |
39 |
+The limitation in the previous fix was discovered by Laurent Delosieres, |
40 |
+Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned |
41 |
+the identifier CVE-2018-20030. |
42 |
+ |
43 |
+Adjusted for missing https://github.com/libexif/libexif/commit/5d28011c40ec86cf52cffad541093d37c263898a |
44 |
+ |
45 |
+--- |
46 |
+ libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++-------- |
47 |
+ 2 files changed, 38 insertions(+), 8 deletions(-) |
48 |
+ |
49 |
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c |
50 |
+index e35403d..a6f9c94 100644 |
51 |
+--- a/libexif/exif-data.c |
52 |
++++ b/libexif/exif-data.c |
53 |
+@@ -35,6 +35,7 @@ |
54 |
+ #include <libexif/olympus/exif-mnote-data-olympus.h> |
55 |
+ #include <libexif/pentax/exif-mnote-data-pentax.h> |
56 |
+ |
57 |
++#include <math.h> |
58 |
+ #include <stdlib.h> |
59 |
+ #include <stdio.h> |
60 |
+ #include <string.h> |
61 |
+@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ |
62 |
+ break; \ |
63 |
+ } |
64 |
+ |
65 |
++/*! Calculate the recursion cost added by one level of IFD loading. |
66 |
++ * |
67 |
++ * The work performed is related to the cost in the exponential relation |
68 |
++ * work=1.1**cost |
69 |
++ */ |
70 |
++static unsigned int |
71 |
++level_cost(unsigned int n) |
72 |
++{ |
73 |
++ static const double log_1_1 = 0.09531017980432493; |
74 |
++ |
75 |
++ /* Adding 0.1 protects against the case where n==1 */ |
76 |
++ return ceil(log(n + 0.1)/log_1_1); |
77 |
++} |
78 |
++ |
79 |
+ /*! Load data for an IFD. |
80 |
+ * |
81 |
+ * \param[in,out] data #ExifData |
82 |
+@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ |
83 |
+ * \param[in] d pointer to buffer containing raw IFD data |
84 |
+ * \param[in] ds size of raw data in buffer at \c d |
85 |
+ * \param[in] offset offset into buffer at \c d at which IFD starts |
86 |
+- * \param[in] recursion_depth number of times this function has been |
87 |
+- * recursively called without returning |
88 |
++ * \param[in] recursion_cost factor indicating how expensive this recursive |
89 |
++ * call could be |
90 |
+ */ |
91 |
+ static void |
92 |
+ exif_data_load_data_content (ExifData *data, ExifIfd ifd, |
93 |
+ const unsigned char *d, |
94 |
+- unsigned int ds, unsigned int offset, unsigned int recursion_depth) |
95 |
++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) |
96 |
+ { |
97 |
+ ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; |
98 |
+ ExifShort n; |
99 |
+@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, |
100 |
+ if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) |
101 |
+ return; |
102 |
+ |
103 |
+- if (recursion_depth > 30) { |
104 |
++ if (recursion_cost > 170) { |
105 |
++ /* |
106 |
++ * recursion_cost is a logarithmic-scale indicator of how expensive this |
107 |
++ * recursive call might end up being. It is an indicator of the depth of |
108 |
++ * recursion as well as the potential for worst-case future recursive |
109 |
++ * calls. Since it's difficult to tell ahead of time how often recursion |
110 |
++ * will occur, this assumes the worst by assuming every tag could end up |
111 |
++ * causing recursion. |
112 |
++ * The value of 170 was chosen to limit typical EXIF structures to a |
113 |
++ * recursive depth of about 6, but pathological ones (those with very |
114 |
++ * many tags) to only 2. |
115 |
++ */ |
116 |
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", |
117 |
+- "Deep recursion detected!"); |
118 |
++ "Deep/expensive recursion detected!"); |
119 |
+ return; |
120 |
+ } |
121 |
+ |
122 |
+@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, |
123 |
+ switch (tag) { |
124 |
+ case EXIF_TAG_EXIF_IFD_POINTER: |
125 |
+ CHECK_REC (EXIF_IFD_EXIF); |
126 |
+- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); |
127 |
++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, |
128 |
++ recursion_cost + level_cost(n)); |
129 |
+ break; |
130 |
+ case EXIF_TAG_GPS_INFO_IFD_POINTER: |
131 |
+ CHECK_REC (EXIF_IFD_GPS); |
132 |
+- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); |
133 |
++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, |
134 |
++ recursion_cost + level_cost(n)); |
135 |
+ break; |
136 |
+ case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: |
137 |
+ CHECK_REC (EXIF_IFD_INTEROPERABILITY); |
138 |
+- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); |
139 |
++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, |
140 |
++ recursion_cost + level_cost(n)); |
141 |
+ break; |
142 |
+ case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: |
143 |
+ thumbnail_offset = o; |
144 |
|
145 |
diff --git a/media-libs/libexif/files/libexif-0.6.21-fix-C89-compatibility-issue.patch b/media-libs/libexif/files/libexif-0.6.21-fix-C89-compatibility-issue.patch |
146 |
new file mode 100644 |
147 |
index 00000000000..c423c9daa61 |
148 |
--- /dev/null |
149 |
+++ b/media-libs/libexif/files/libexif-0.6.21-fix-C89-compatibility-issue.patch |
150 |
@@ -0,0 +1,30 @@ |
151 |
+From 3840e4f1f550e0d113e4ed70bd74f9f798f7e6f8 Mon Sep 17 00:00:00 2001 |
152 |
+From: Dan Fandrich <dan@××××××××××××××.com> |
153 |
+Date: Sat, 13 Jul 2013 13:34:50 -0700 |
154 |
+Subject: [PATCH] Fixed a C89 compatibility issue (bug #117 reported by Guenter |
155 |
+ Knauf) |
156 |
+ |
157 |
+--- |
158 |
+ libexif/exif-entry.c | 4 +++- |
159 |
+ 1 file changed, 3 insertions(+), 1 deletion(-) |
160 |
+ |
161 |
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c |
162 |
+index 54a90a2..bb42473 100644 |
163 |
+--- a/libexif/exif-entry.c |
164 |
++++ b/libexif/exif-entry.c |
165 |
+@@ -1375,12 +1375,14 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) |
166 |
+ case EXIF_TAG_XP_KEYWORDS: |
167 |
+ case EXIF_TAG_XP_SUBJECT: |
168 |
+ { |
169 |
++ unsigned short *utf16; |
170 |
++ |
171 |
+ /* Sanity check the size to prevent overflow */ |
172 |
+ if (e->size+sizeof(unsigned short) < e->size) break; |
173 |
+ |
174 |
+ /* The tag may not be U+0000-terminated , so make a local |
175 |
+ U+0000-terminated copy before converting it */ |
176 |
+- unsigned short *utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short)); |
177 |
++ utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short)); |
178 |
+ if (!utf16) break; |
179 |
+ memcpy(utf16, e->data, e->size); |
180 |
+ utf16[e->size/sizeof(unsigned short)] = 0; |
181 |
|
182 |
diff --git a/media-libs/libexif/libexif-0.6.21-r3.ebuild b/media-libs/libexif/libexif-0.6.21-r3.ebuild |
183 |
new file mode 100644 |
184 |
index 00000000000..b9af2c870d3 |
185 |
--- /dev/null |
186 |
+++ b/media-libs/libexif/libexif-0.6.21-r3.ebuild |
187 |
@@ -0,0 +1,52 @@ |
188 |
+# Copyright 1999-2019 Gentoo Authors |
189 |
+# Distributed under the terms of the GNU General Public License v2 |
190 |
+ |
191 |
+EAPI=7 |
192 |
+ |
193 |
+inherit libtool multilib-minimal |
194 |
+ |
195 |
+DESCRIPTION="Library for parsing, editing, and saving EXIF data" |
196 |
+HOMEPAGE="https://libexif.github.io/" |
197 |
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" |
198 |
+ |
199 |
+LICENSE="LGPL-2.1" |
200 |
+SLOT="0" |
201 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris" |
202 |
+IUSE="doc nls static-libs" |
203 |
+ |
204 |
+RDEPEND="nls? ( virtual/libintl )" |
205 |
+DEPEND="${RDEPEND}" |
206 |
+BDEPEND=" |
207 |
+ virtual/pkgconfig |
208 |
+ doc? ( app-doc/doxygen ) |
209 |
+ nls? ( sys-devel/gettext )" |
210 |
+ |
211 |
+PATCHES=( |
212 |
+ "${FILESDIR}"/${PN}-0.6.13-pkgconfig.patch |
213 |
+ "${FILESDIR}"/${P}-fix-C89-compatibility-issue.patch |
214 |
+ "${FILESDIR}"/${P}-CVE-2017-7544.patch |
215 |
+ "${FILESDIR}"/${P}-CVE-2018-20030.patch |
216 |
+) |
217 |
+ |
218 |
+src_prepare() { |
219 |
+ default |
220 |
+ sed -i -e '/FLAGS=/s:-g::' configure || die #390249 |
221 |
+ elibtoolize # For *-bsd |
222 |
+} |
223 |
+ |
224 |
+multilib_src_configure() { |
225 |
+ ECONF_SOURCE=${S} econf \ |
226 |
+ $(use_enable doc docs) \ |
227 |
+ $(use_enable nls) \ |
228 |
+ $(use_enable static-libs static) \ |
229 |
+ --with-doc-dir="${EPREFIX}"/usr/share/doc/${PF} |
230 |
+} |
231 |
+ |
232 |
+multilib_src_install() { |
233 |
+ emake DESTDIR="${D}" install |
234 |
+} |
235 |
+ |
236 |
+multilib_src_install_all() { |
237 |
+ find "${D}" -name '*.la' -delete || die |
238 |
+ rm -f "${ED}"/usr/share/doc/${PF}/{ABOUT-NLS,COPYING} || die |
239 |
+} |