From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 3/3] package/exiv2: fix CVE-2019-20421
Date: Sat, 29 Feb 2020 22:32:04 +0100 [thread overview]
Message-ID: <20200229213204.3703303-3-fontaine.fabrice@gmail.com> (raw)
In-Reply-To: <20200229213204.3703303-1-fontaine.fabrice@gmail.com>
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
.../0002-fix_1011_jp2_readmetadata_loop.patch | 86 +++++++++++++++++++
package/exiv2/exiv2.mk | 3 +
2 files changed, 89 insertions(+)
create mode 100644 package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch
diff --git a/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch b/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch
new file mode 100644
index 0000000000..400bf342ce
--- /dev/null
+++ b/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch
@@ -0,0 +1,86 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+[Retrieved (and slighlty updated to keep only the fix) from:
+https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/jp2image.cpp | 25 +++++++++++++++----
+ test/data/Jp2Image_readMetadata_loop.poc | Bin 0 -> 738 bytes
+ tests/bugfixes/github/test_CVE_2017_17725.py | 4 +--
+ tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+ * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+ */
+
+-/*
+- File: jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+ return result;
+ }
+
++static void boxes_check(size_t b,size_t m)
++{
++ if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++ throw Error(kerCorruptedMetadata);
++ }
++}
++
+ void Jp2Image::readMetadata()
+ {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+ Jp2BoxHeader subBox = {0,0};
+ Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
+ Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++ size_t boxes = 0 ;
++ size_t boxem = 1000 ; // boxes max
+
+ while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+ {
++ boxes_check(boxes++,boxem );
+ position = io_->tell();
+ box.length = getLong((byte*)&box.length, bigEndian);
+ box.type = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+
+ while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+ {
++ boxes_check(boxes++, boxem) ;
+ subBox.length = getLong((byte*)&subBox.length, bigEndian);
+ subBox.type = getLong((byte*)&subBox.type, bigEndian);
++ if (subBox.length > io_->size() ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ #ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Exiv2::Jp2Image::readMetadata: "
+ << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+ }
+
+ io_->seek(restore,BasicIo::beg);
+- io_->seek(subBox.length, Exiv2::BasicIo::cur);
++ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++ throw Error(kerCorruptedMetadata);
++ }
+ restore = io_->tell();
+ }
+ break;
diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
index 83c880a109..5ca16c4747 100644
--- a/package/exiv2/exiv2.mk
+++ b/package/exiv2/exiv2.mk
@@ -18,6 +18,9 @@ EXIV2_IGNORE_CVES += CVE-2019-13504
# 0001-crwimage-Check-offset-and-size-against-total-size.patch
EXIV2_IGNORE_CVES += CVE-2019-17402
+# 0002-fix_1011_jp2_readmetadata_loop.patch
+EXIV2_IGNORE_CVES += CVE-2019-20421
+
EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
# The following CMake variable disables a TRY_RUN call in the -pthread
--
2.25.0
next prev parent reply other threads:[~2020-02-29 21:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-29 21:32 [Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504 Fabrice Fontaine
2020-02-29 21:32 ` [Buildroot] [PATCH 2/3] package/exiv2: fix CVE-2019-17402 Fabrice Fontaine
2020-03-14 17:58 ` Peter Korsgaard
2020-02-29 21:32 ` Fabrice Fontaine [this message]
2020-03-14 17:58 ` [Buildroot] [PATCH 3/3] package/exiv2: fix CVE-2019-20421 Peter Korsgaard
2020-02-29 22:21 ` [Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504 Yann E. MORIN
2020-02-29 22:28 ` Fabrice Fontaine
2020-03-01 7:29 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200229213204.3703303-3-fontaine.fabrice@gmail.com \
--to=fontaine.fabrice@gmail.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.