[Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504

[Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504

[Fabrice Fontaine]

CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/exiv2/exiv2.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
index 228b3a980e..09988f49b2 100644
--- a/package/exiv2/exiv2.mk
+++ b/package/exiv2/exiv2.mk
@@ -10,6 +10,11 @@ EXIV2_INSTALL_STAGING = YES
 EXIV2_LICENSE = GPL-2.0+, BSD-3-Clause
 EXIV2_LICENSE_FILES = COPYING COPYING-CMAKE-SCRIPTS
 
+# CVE-2019-13504 is misclassified (by our CVE tracker) as affecting version
+# 0.27.2, while in fact both commits that fixed this issue are already in this
+# version.
+EXIV2_IGNORE_CVES += CVE-2019-13504
+
 EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
 
 # The following CMake variable disables a TRY_RUN call in the -pthread
-- 
2.25.0

[Buildroot] [PATCH 2/3] package/exiv2: fix CVE-2019-17402

[Fabrice Fontaine]

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...k-offset-and-size-against-total-size.patch | 39 +++++++++++++++++++
 package/exiv2/exiv2.mk                        |  3 ++
 2 files changed, 42 insertions(+)
 create mode 100644 package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch

diff --git a/package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch b/package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch
new file mode 100644
index 0000000000..78adb2e9d6
--- /dev/null
+++ b/package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch
@@ -0,0 +1,39 @@
+From b7890776c62398ca1005e8edc32786859d60fcf7 Mon Sep 17 00:00:00 2001
+From: Jens Georg <mail@jensge.org>
+Date: Sun, 6 Oct 2019 15:05:20 +0200
+Subject: [PATCH] crwimage: Check offset and size against total size
+
+Corrupted or specially crafted CRW images might exceed the overall
+buffersize.
+
+Fixes #1019
+
+(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
+[Retrieved (and slightly updated to keep only the fix) from:
+https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/crwimage_int.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 29311fdb7..c0d955350 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -268,6 +268,9 @@ namespace Exiv2 {
+ #ifdef EXIV2_DEBUG_MESSAGES
+         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
+ #endif
++        if (this->offset() + this->size() > size)
++            throw Error(kerOffsetOutOfRange);
++
+         readDirectory(pData + offset(), this->size(), byteOrder);
+ #ifdef EXIV2_DEBUG_MESSAGES
+         std::cout << "<---- 0x" << std::hex << tag() << "\n";
+
+From 0a4fdae360c15c0f6e8d0670f8fa7acfa4526497 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Mon, 7 Oct 2019 23:25:00 +0200
+Subject: [PATCH 2/2] [tests] Add regression test for #1019
+
+(cherry picked from commit 73b874fb14d02578f876aa7dd404cf7c07b6dc4e)
diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
index 09988f49b2..83c880a109 100644
--- a/package/exiv2/exiv2.mk
+++ b/package/exiv2/exiv2.mk
@@ -15,6 +15,9 @@ EXIV2_LICENSE_FILES = COPYING COPYING-CMAKE-SCRIPTS
 # version.
 EXIV2_IGNORE_CVES += CVE-2019-13504
 
+# 0001-crwimage-Check-offset-and-size-against-total-size.patch
+EXIV2_IGNORE_CVES += CVE-2019-17402
+
 EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
 
 # The following CMake variable disables a TRY_RUN call in the -pthread
-- 
2.25.0

[Buildroot] [PATCH 3/3] package/exiv2: fix CVE-2019-20421

[Fabrice Fontaine]

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 .../0002-fix_1011_jp2_readmetadata_loop.patch | 86 +++++++++++++++++++
 package/exiv2/exiv2.mk                        |  3 +
 2 files changed, 89 insertions(+)
 create mode 100644 package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch

diff --git a/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch b/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch
new file mode 100644
index 0000000000..400bf342ce
--- /dev/null
+++ b/package/exiv2/0002-fix_1011_jp2_readmetadata_loop.patch
@@ -0,0 +1,86 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+[Retrieved (and slighlty updated to keep only the fix) from:
+https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/jp2image.cpp                             |  25 +++++++++++++++----
+ test/data/Jp2Image_readMetadata_loop.poc     | Bin 0 -> 738 bytes
+ tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
+ tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+  */
+ 
+-/*
+-  File:      jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+ 
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+         return result;
+     }
+ 
++static void boxes_check(size_t b,size_t m)
++{
++    if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++        throw Error(kerCorruptedMetadata);
++    }
++}
++
+     void Jp2Image::readMetadata()
+     {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+         Jp2BoxHeader      subBox    = {0,0};
+         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
+         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++        size_t            boxes     = 0 ;
++        size_t            boxem     = 1000 ; // boxes max
+ 
+         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+         {
++            boxes_check(boxes++,boxem );
+             position   = io_->tell();
+             box.length = getLong((byte*)&box.length, bigEndian);
+             box.type   = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+ 
+                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+                     {
++                        boxes_check(boxes++, boxem) ;
+                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
++                        if (subBox.length > io_->size() ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+ #ifdef EXIV2_DEBUG_MESSAGES
+                         std::cout << "Exiv2::Jp2Image::readMetadata: "
+                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+                         }
+ 
+                         io_->seek(restore,BasicIo::beg);
+-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
++                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+                         restore = io_->tell();
+                     }
+                     break;
diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
index 83c880a109..5ca16c4747 100644
--- a/package/exiv2/exiv2.mk
+++ b/package/exiv2/exiv2.mk
@@ -18,6 +18,9 @@ EXIV2_IGNORE_CVES += CVE-2019-13504
 # 0001-crwimage-Check-offset-and-size-against-total-size.patch
 EXIV2_IGNORE_CVES += CVE-2019-17402
 
+# 0002-fix_1011_jp2_readmetadata_loop.patch
+EXIV2_IGNORE_CVES += CVE-2019-20421
+
 EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
 
 # The following CMake variable disables a TRY_RUN call in the -pthread
-- 
2.25.0

[Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504

[Yann E. MORIN]

Fabrice, All,

On 2020-02-29 22:32 +0100, Fabrice Fontaine spake thusly:
> CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
> version 0.27.2, while in fact both commits that fixed this issue are
> already in this version.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

I've applied patches 2 and 3, as I could follow the commit to upstream
you provided in the patches.

However, for patch 1, I have been able to track only one commit, but you
noted two. It would be nice if youc ould provide the sha1 for those two
commits.

Thanks! :-)

Regards,
Yann E. MORIN.

> ---
>  package/exiv2/exiv2.mk | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
> index 228b3a980e..09988f49b2 100644
> --- a/package/exiv2/exiv2.mk
> +++ b/package/exiv2/exiv2.mk
> @@ -10,6 +10,11 @@ EXIV2_INSTALL_STAGING = YES
>  EXIV2_LICENSE = GPL-2.0+, BSD-3-Clause
>  EXIV2_LICENSE_FILES = COPYING COPYING-CMAKE-SCRIPTS
>  
> +# CVE-2019-13504 is misclassified (by our CVE tracker) as affecting version
> +# 0.27.2, while in fact both commits that fixed this issue are already in this
> +# version.
> +EXIV2_IGNORE_CVES += CVE-2019-13504
> +
>  EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
>  
>  # The following CMake variable disables a TRY_RUN call in the -pthread
> -- 
> 2.25.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504

[Fabrice Fontaine]

Le sam. 29 f?vr. 2020 ? 23:21, Yann E. MORIN <yann.morin.1998@free.fr> a ?crit :
>
> Fabrice, All,
>
> On 2020-02-29 22:32 +0100, Fabrice Fontaine spake thusly:
> > CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
> > version 0.27.2, while in fact both commits that fixed this issue are
> > already in this version.
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> I've applied patches 2 and 3, as I could follow the commit to upstream
> you provided in the patches.
>
> However, for patch 1, I have been able to track only one commit, but you
> noted two. It would be nice if youc ould provide the sha1 for those two
> commits.
Sure, here it is (from
https://security-tracker.debian.org/tracker/CVE-2019-13504):
- https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
- https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff
>
> Thanks! :-)
>
> Regards,
> Yann E. MORIN.
>
> > ---
> >  package/exiv2/exiv2.mk | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/package/exiv2/exiv2.mk b/package/exiv2/exiv2.mk
> > index 228b3a980e..09988f49b2 100644
> > --- a/package/exiv2/exiv2.mk
> > +++ b/package/exiv2/exiv2.mk
> > @@ -10,6 +10,11 @@ EXIV2_INSTALL_STAGING = YES
> >  EXIV2_LICENSE = GPL-2.0+, BSD-3-Clause
> >  EXIV2_LICENSE_FILES = COPYING COPYING-CMAKE-SCRIPTS
> >
> > +# CVE-2019-13504 is misclassified (by our CVE tracker) as affecting version
> > +# 0.27.2, while in fact both commits that fixed this issue are already in this
> > +# version.
> > +EXIV2_IGNORE_CVES += CVE-2019-13504
> > +
> >  EXIV2_CONF_OPTS += -DEXIV2_ENABLE_BUILD_SAMPLES=OFF
> >
> >  # The following CMake variable disables a TRY_RUN call in the -pthread
> > --
> > 2.25.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'
Best Regards,

Fabrice

[Buildroot] [PATCH 1/3] package/exiv2: annotate CVE-2019-13504

[Yann E. MORIN]

Fabrice, All,

On 2020-02-29 23:28 +0100, Fabrice Fontaine spake thusly:
> Le sam. 29 f?vr. 2020 ? 23:21, Yann E. MORIN <yann.morin.1998@free.fr> a ?crit :
> > On 2020-02-29 22:32 +0100, Fabrice Fontaine spake thusly:
> > > CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
> > > version 0.27.2, while in fact both commits that fixed this issue are
> > > already in this version.
[--SNIP--]
> > However, for patch 1, I have been able to track only one commit, but you
> > noted two. It would be nice if youc ould provide the sha1 for those two
> > commits.
> Sure, here it is (from
> https://security-tracker.debian.org/tracker/CVE-2019-13504):
> - https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
> - https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff

Applied to master with those references added to the commit log. Thanks! :-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 2/3] package/exiv2: fix CVE-2019-17402

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
 > types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
 > in crwimage_int.cpp, because there is no validation of the relationship
 > of the total size to the offset and size.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2019.02.x and 2019.11.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/3] package/exiv2: fix CVE-2019-20421

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
 > file can result in an infinite loop and hang, with high CPU consumption.
 > Remote attackers could leverage this vulnerability to cause a denial of
 > service via a crafted file.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2019.02.x and 2019.11.x, thanks.

-- 
Bye, Peter Korsgaard