Patchwork [denzil,04/18] Security Advisory - libexif - CVE-2012-2841

login
register
mail settings
Submitter Mark Hatle
Date Feb. 7, 2013, 11:56 p.m.
Message ID <32a676e0135cc4a7f3a24d882e88cc188457aa3a.1360270199.git.mark.hatle@windriver.com>
Download mbox | patch
Permalink /patch/44271/
State New
Headers show

Comments

Mark Hatle - Feb. 7, 2013, 11:56 p.m.
From: Yue Tao <Yue.Tao@windriver.com>

[ CQID: WIND00366809 ]

Integer underflow in the exif_entry_get_value function in exif-entry.c
in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote
attackers to execute arbitrary code via vectors involving a crafted
buffer-size parameter during the formatting of an EXIF tag, leading to
a heap-based buffer overflow.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../libexif/0003-libexif-CVE-2012-2841.patch       | 47 ++++++++++++++++++++++
 meta/recipes-support/libexif/libexif_0.6.20.bb     |  3 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch

Patch

diff --git a/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
new file mode 100644
index 0000000..2e2c949
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
@@ -0,0 +1,47 @@ 
+Index: libexif/exif-entry.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v
+retrieving revision 1.148
+retrieving revision 1.149
+diff -c -u -r1.148 -r1.149
+--- a/libexif/exif-entry.c	12 Jul 2012 17:13:03 -0000	1.148
++++ b/libexif/exif-entry.c	12 Jul 2012 17:26:01 -0000	1.149
+@@ -860,14 +860,15 @@ exif_entry_get_value (ExifEntry *e, char
+ 	 */
+ 	bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
+ 
++	if (!e || !e->parent || !e->parent->parent || !maxlen)
++		return val;
++
+ 	/* make sure the returned string is zero terminated */
+ 	memset (val, 0, maxlen);
+ 	maxlen--;
+ 	memset (b, 0, sizeof (b));
+ 
+ 	/* We need the byte order */
+-	if (!e || !e->parent || !e->parent->parent)
+-		return val;
+ 	o = exif_data_get_byte_order (e->parent->parent);
+ 
+ 	/* Sanity check */
+@@ -925,17 +926,16 @@ exif_entry_get_value (ExifEntry *e, char
+ 
+ 		/*
+ 		 * If we reach this point, the tag does not
+-		 * comply with the standard and seems to contain data.
++ 		 * comply with the standard but seems to contain data.
+ 		 * Print as much as possible.
+ 		 */
+ 		exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
+ 			_("Tag UserComment does not comply "
+ 			"with standard but contains data."));
+-		for (; (i < e->size)  && (strlen (val) < maxlen - 1); i++) {
++ 		for (j = 0; (i < e->size) && (j < maxlen); i++, j++) {
+ 			exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
+ 				_("Byte at position %i: 0x%02x"), i, e->data[i]);
+-			val[strlen (val)] =
+-				isprint (e->data[i]) ? e->data[i] : '.';
++ 			val[j] = isprint (e->data[i]) ? e->data[i] : '.';
+ 		}
+ 		break;
+ 
diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb
index 45b697d..7d8f8fd 100644
--- a/meta/recipes-support/libexif/libexif_0.6.20.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.20.bb
@@ -8,7 +8,8 @@  PR = "r1"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
 	  file://0001-libexif-CVE-2012-2813.patch \
-	  file://0002-libexif-CVE-2012-2812.patch"
+	  file://0002-libexif-CVE-2012-2812.patch \
+	  file://0003-libexif-CVE-2012-2841.patch"
 
 SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3"
 SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715"