All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Armin Kuster" <akuster808@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [dunfell 01/12] exiv2: Fix CVE-2021-29457
Date: Sun, 30 May 2021 11:34:11 -0700	[thread overview]
Message-ID: <eee3b137a084d033994fd5eae31dafa74f880ed5.1622399528.git.akuster808@gmail.com> (raw)
In-Reply-To: <cover.1622399528.git.akuster808@gmail.com>

From: wangmy <wangmy@fujitsu.com>

  References
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29457

  The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
  An attacker could potentially exploit the vulnerability to gain code execution, if they can
  trick the victim into running Exiv2 on a crafted image file.

  Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22]
  CVE: CVE-2021-29457

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5be72693096cef671bf54bf1dd6ee8125614d064)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../exiv2/exiv2/CVE-2021-29457.patch          | 26 +++++++++++++++++++
 meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb |  3 ++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
new file mode 100644
index 0000000000..e5d069487c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch
@@ -0,0 +1,26 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+---
+ src/jp2image.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 88ab9b2d6..12025f966 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
+ #endif
+                 box.length = (uint32_t) (io_->size() - io_->tell() + 8);
+             }
+-            if (box.length == 1)
++            if (box.length < 8)
+             {
+-                // FIXME. Special case. the real box size is given in another place.
++                // box is broken, so there is nothing we can do here
++                throw Error(kerCorruptedMetadata);
+             }
+ 
+             // Read whole box : Box header + Box data (not fixed size - can be null).
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index ed1e8de5c2..a13db42edd 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -9,7 +9,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
 
 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
 inherit dos2unix
-SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch"
+SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
+            file://CVE-2021-29457.patch"
 
 S = "${WORKDIR}/${BPN}-${PV}-Source"
 
-- 
2.17.1


  reply	other threads:[~2021-05-30 18:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-30 18:34 [dunfell 00/12] Patch review May 30th Armin Kuster
2021-05-30 18:34 ` Armin Kuster [this message]
2021-05-30 18:34 ` [dunfell 02/12] exiv2: Fix CVE-2021-29458 Armin Kuster
2021-05-30 18:34 ` [dunfell 03/12] exiv2: Fix CVE-2021-29463 Armin Kuster
2021-05-30 18:34 ` [dunfell 04/12] exiv2: Fix CVE-2021-3482 Armin Kuster
2021-05-30 18:34 ` [dunfell 05/12] exiv2: Fix CVE-2021-29464 Armin Kuster
2021-05-30 18:34 ` [dunfell 06/12] exiv2: Fix CVE-2021-29470 Armin Kuster
2021-05-30 18:34 ` [dunfell 07/12] exiv2: Fix CVE-2021-29473 Armin Kuster
2021-05-30 18:34 ` [dunfell 08/12] libsdl: Fix CVE-2019-13616 Armin Kuster
2021-05-30 18:34 ` [dunfell 09/12] hostapd: fix building with CONFIG_TLS=internal Armin Kuster
2021-05-30 18:34 ` [dunfell 10/12] opencv: Add fix for CVE-2019-5063 and CVE-2019-5064 Armin Kuster
2021-05-30 18:34 ` [dunfell 11/12] ebtables: use bitbake optimization levels Armin Kuster
2021-05-30 18:34 ` [dunfell 12/12] dnsmasq: Add fixes for CVEs reported for dnsmasq Armin Kuster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=eee3b137a084d033994fd5eae31dafa74f880ed5.1622399528.git.akuster808@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.