From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../libexif/libexif/CVE-2020-13114.patch | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 external/poky/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch (limited to 'external/poky/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch') diff --git a/external/poky/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/external/poky/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 00000000..06b8b46c --- /dev/null +++ b/external/poky/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch @@ -0,0 +1,73 @@ +From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 16 May 2020 19:32:30 +0200 +Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote + + subtags. + +A malicious file could be crafted to cause extremely large values in some +tags without tripping any buffer range checks. This is bad with the libexif +representation of Canon MakerNotes because some arrays are turned into +individual tags that the application must loop around. + +The largest value I've seen for failsafe_size in a (very small) sample of valid +Canon files is <5000. The limit is set two orders of magnitude larger to avoid +tripping up falsely in case some models use much larger values. + +Patch from Google. + +CVE-2020-13114 + +Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab] +CVE: CVE-2020-13114 +Signed-off-by: Lee Chee Yang +--- + libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c +index eb53598..72fd7a3 100644 +--- a/libexif/canon/exif-mnote-data-canon.c ++++ b/libexif/canon/exif-mnote-data-canon.c +@@ -32,6 +32,9 @@ + + #define DEBUG + ++/* Total size limit to prevent abuse by DoS */ ++#define FAILSAFE_SIZE_MAX 1000000L ++ + static void + exif_mnote_data_canon_clear (ExifMnoteDataCanon *n) + { +@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; + ExifShort c; + size_t i, tcount, o, datao; ++ long failsafe_size = 0; + + if (!n || !buf || !buf_size) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, +@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + memcpy (n->entries[tcount].data, buf + dataofs, s); + } + ++ /* Track the size of decoded tag data. A malicious file could ++ * be crafted to cause extremely large values here without ++ * tripping any buffer range checks. This is especially bad ++ * with the libexif representation of Canon MakerNotes because ++ * some arrays are turned into individual tags that the ++ * application must loop around. */ ++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); ++ ++ if (failsafe_size > FAILSAFE_SIZE_MAX) { ++ /* Abort if the total size of the data in the tags extraordinarily large, */ ++ exif_mem_free (ne->mem, n->entries[tcount].data); ++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", ++ failsafe_size, FAILSAFE_SIZE_MAX); ++ break; ++ } ++ + /* Tag was successfully parsed */ + ++tcount; + } -- cgit 1.2.3-korg