diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/image.scm | 28 | ||||
-rw-r--r-- | gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 | ||||
-rw-r--r-- | gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 |
4 files changed, 0 insertions, 144 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8191c6917a..95d5835fa4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -972,8 +972,6 @@ dist_patch_DATA = \ %D%/packages/patches/evolution-data-server-locales.patch \ %D%/packages/patches/evolution-data-server-libical-compat.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ - %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/farstream-make.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 68221afff1..2d83313d9e 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1352,34 +1352,6 @@ and XMP metadata of images in various formats.") ;; <https://launchpad.net/ubuntu/precise/+source/exiv2/+copyright>. (license license:gpl2+))) -(define-public exiv2-0.26 - (package - (inherit exiv2) - (version "0.26") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.exiv2.org/builds/exiv2-" - version "-trunk.tar.gz") - (string-append "https://www.exiv2.org/exiv2-" - version ".tar.gz") - (string-append "https://fossies.org/linux/misc/exiv2-" - version ".tar.gz"))) - (patches (search-patches "exiv2-CVE-2017-14860.patch" - "exiv2-CVE-2017-14859-14862-14864.patch")) - (sha256 - (base32 - "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7")))) - (build-system gnu-build-system) - (arguments '(#:tests? #f)) ; no `check' target - (propagated-inputs - `(("expat" ,expat) - ("zlib" ,zlib))) - (native-inputs - `(("intltool" ,intltool))) - - ;; People should rely on the newer version, so don't expose it. - (properties `((hidden? . #t))))) - (define-public devil (package (name "devil") diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch deleted file mode 100644 index 69e65aeb6b..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 - -From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> -Date: Sat, 7 Oct 2017 23:08:36 +0200 -Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 - -The invalid memory dereference in -Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() -is caused further up the call-stack, by -v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() -passing an invalid pData pointer (pData points outside of the Tiff -file). pData can be set out of bounds in the (size > 4) branch where -baseOffset() and offset are added to pData_ without checking whether -the result is still in the file. As offset comes from an untrusted -source, an attacker can craft an arbitrarily large offset into the -file. - -This commit adds a check into the problematic branch, whether the -result of the addition would be out of bounds of the Tiff -file. Furthermore the whole operation is checked for possible -overflows. ---- - src/tiffvisitor.cpp | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp -index 4ab733d4..ef13542e 100644 ---- a/src/tiffvisitor.cpp -+++ b/src/tiffvisitor.cpp -@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") - #include <iostream> - #include <iomanip> - #include <cassert> -+#include <limits> - - // ***************************************************************************** - namespace { -@@ -1517,7 +1518,19 @@ namespace Exiv2 { - size = 0; - } - if (size > 4) { -+ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, -+ // as offset can be arbitrarily large -+ if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset)) -+ || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_))) -+ { -+ throw Error(59); -+ } -+ if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) { -+ throw Error(58); -+ } - pData = const_cast<byte*>(pData_) + baseOffset() + offset; -+ -+ // check for size being invalid - if (size > static_cast<uint32_t>(pLast_ - pData)) { - #ifndef SUPPRESS_WARNINGS - EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch deleted file mode 100644 index 43e6076b71..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-14860. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 -https://nvd.nist.gov/vuln/detail/CVE-2017-14860 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce - -From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> -Date: Fri, 6 Oct 2017 23:09:08 +0200 -Subject: [PATCH] Fix for CVE-2017-14860 - -A heap buffer overflow could occur in memcpy when icc.size_ is larger -than data.size_ - pad, as then memcpy would read out of bounds of data. - -This commit adds a sanity check to iccLength (= icc.size_): if it is -larger than data.size_ - pad (i.e. an overflow would be caused) an -exception is thrown. - -This fixes #71. ---- - src/jp2image.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 747145cf..748d39b5 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -269,10 +269,15 @@ namespace Exiv2 - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "Color data found" << std::endl; - #endif -- long pad = 3 ; // 3 padding bytes 2 0 0 -+ const long pad = 3 ; // 3 padding bytes 2 0 0 - DataBuf data(subBox.length+8); - io_->read(data.pData_,data.size_); -- long iccLength = getULong(data.pData_+pad, bigEndian); -+ const long iccLength = getULong(data.pData_+pad, bigEndian); -+ // subtracting pad from data.size_ is safe: -+ // size_ is at least 8 and pad = 3 -+ if (iccLength > data.size_ - pad) { -+ throw Error(58); -+ } - DataBuf icc(iccLength); - ::memcpy(icc.pData_,data.pData_+pad,icc.size_); - #ifdef DEBUG |