Patchwork [denzil,07/18] Security Advisory - libexif - CVE-2012-2840

login
register
mail settings
Submitter Mark Hatle
Date Feb. 7, 2013, 11:56 p.m.
Message ID <eaff27511430cdd77ed0a316b370308ca8129777.1360270199.git.mark.hatle@windriver.com>
Download mbox | patch
Permalink /patch/44277/
State New
Headers show

Comments

Mark Hatle - Feb. 7, 2013, 11:56 p.m.
From: Yue Tao <Yue.Tao@windriver.com>

[ CQID: WIND00366793 ]

Off-by-one error in the exif_convert_utf16_to_utf8 function in
exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before
0.6.21 allows remote attackers to cause a denial of service or
possibly execute arbitrary code via crafted EXIF tags in an image.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../libexif/libexif/0006-libexif-CVE-2012-2840.patch    | 17 +++++++++++++++++
 meta/recipes-support/libexif/libexif_0.6.20.bb          |  3 ++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch

Patch

diff --git a/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch b/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch
new file mode 100644
index 0000000..81c5821
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch
@@ -0,0 +1,17 @@ 
+Index: libexif/exif-utils.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-utils.c,v
+retrieving revision 1.16
+retrieving revision 1.17
+diff -c -u -r1.16 -r1.17
+--- a/libexif/exif-utils.c	27 Oct 2009 06:06:11 -0000	1.16
++++ b/libexif/exif-utils.c	12 Jul 2012 17:11:30 -0000	1.17
+@@ -239,7 +239,7 @@
+ 				break;
+ 			}
+ 		} else {
+-			if (maxlen > 2) {
++			if (maxlen > 3) {
+ 				*out++ = ((*in >> 12) & 0x0F) | 0xE0;
+ 				*out++ = ((*in >> 6) & 0x3F) | 0x80;
+ 				*out++ = (*in++ & 0x3F) | 0x80;
diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb
index 6affc9e..757163b 100644
--- a/meta/recipes-support/libexif/libexif_0.6.20.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.20.bb
@@ -11,7 +11,8 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
 	  file://0002-libexif-CVE-2012-2812.patch \
 	  file://0003-libexif-CVE-2012-2841.patch \
 	  file://0004-libexif-CVE-2012-2836.patch \
-	  file://0005-libexif-CVE-2012-2837.patch"
+	  file://0005-libexif-CVE-2012-2837.patch \
+	  file://0006-libexif-CVE-2012-2840.patch"
 
 SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3"
 SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715"