Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow Read in Exiv2::Internal::CrwMap::encode #1530

Closed
henices opened this issue Apr 8, 2021 · 15 comments · Fixed by #1539
Closed

heap-buffer-overflow Read in Exiv2::Internal::CrwMap::encode #1530

henices opened this issue Apr 8, 2021 · 15 comments · Fixed by #1539

Comments

@henices
Copy link

henices commented Apr 8, 2021

VERSION
exiv 2 0.27.4.1
https://github.com/Exiv2/exiv2/tree/0.27-maintenance

REPRODUCE

Compile exiv2 with asan:

CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-fsanitize=address" \
-DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"

Dowload testcases:

https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487
https://github.com/henices/pocs/raw/master/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487.exv

Run command: exiv2 in tests_1bd0a5f4935b053f33ac00f931dde1f47a043487

=================================================================
==119384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000585e at pc 0x0000004c4d0a bp 0x7ffef1036370 sp 0x7ffef1035b20
READ of size 4294967293 at 0x62600000585e thread T0
    #0 0x4c4d09 in __asan_memcpy (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09)
    #1 0x7f40c9907d88 in Exiv2::Internal::CrwMap::encode0x1810(Exiv2::Image const&, Exiv2::Internal::CrwMapping const*, Exiv2::Internal::CiffHeader*) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4c8d88)
    #2 0x7f40c9911007 in Exiv2::Internal::CrwMap::encode(Exiv2::Internal::CiffHeader*, Exiv2::Image const&) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4d2007)
    #3 0x7f40c9769376 in Exiv2::CrwImage::writeMetadata() (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x32a376)
    #4 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
    #5 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
    #6 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
    #7 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16
    #8 0x4224cd in _start (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4224cd)

0x62600000585e is located 0 bytes to the right of 10078-byte region [0x626000003100,0x62600000585e)
allocated by thread T0 here:
    #0 0x4fad47 in operator new[](unsigned long) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fad47)
    #1 0x7f40c98688b1 in Exiv2::DataBuf::alloc(long) (/home/henices/tests/exiv2/build_asan/lib/libexiv2.so.27+0x4298b1)
    #2 0x541653 in (anonymous namespace)::metacopy(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, bool) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x541653)
    #3 0x545049 in Action::Insert::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x545049)
    #4 0x4fddf3 in main (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4fddf3)
    #5 0x7f40c8ede1e1 in __libc_start_main /usr/src/debug/glibc-2.32-37-g760e1d2878/csu/../csu/libc-start.c:314:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/henices/tests/exiv2/build_asan/bin/exiv2+0x4c4d09) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c4c7fff8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff8af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8b00: 00 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa
  0x0c4c7fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==119384==ABORTING

Credit: Zhen Zhou of NSFOCUS Security Team

@clanmills
Copy link
Collaborator

What is your plan here? This is the third similar CVE in three days. Exiv2 v0.27.4 is scheduled to ship on 2021-05-22. Are you planning to continuously bombard us with CVEs for weeks and months?

Is it possible to have a Zoom meeting to discuss your intention and how we can cooperate?

@henices
Copy link
Author

henices commented Apr 9, 2021

@clanmills Thanks for your hard work to make exiv2 better. I indeed have several other exiv2 security bugs, but I don't submit all the bugs at the same time, I can't agree with the strong word bombard. Security testing for exiv2 also takes a lot time, if your guys don't like to see these kind of bugs, feel free to them, I will never submit them again.

I don't know is there a deadline for exiv2 release schedule, sorry for the inconvience.

@clanmills
Copy link
Collaborator

clanmills commented Apr 9, 2021

Thank You @henices for the courtesy of your reply. And thank you for opening issues on GitHub about these matters. That's very helpful. The sooner Team Exiv2 knows about these matters, the sooner they can be fixed.

Team Exiv2 agrees that knowing about those issues and fixing them is better that having in the code and unknown to us.

The Exiv2 development plan is to create a new branch called 'main' and to release Exiv2 v1.00 from that branch on 2021-12-15. We would like to ask you to focus your attention on 'main'. We will fix the issues you have opened on 0.27-maintenance and ship that as v0.27.4 on/before 2021-05-22. If we ever make another release from the 0.27-maintenance branch, we will back-port security fixes from 'main'.

I appreciate the effort that you and your co-workers are putting into the important matter of security. I apologise for saying 'bombardment'. My hope this week was to finish my 13 years of working on Exiv2. I was distressed to see those CVEs arrive on day on which I intended to retire!

@kevinbackhouse
Copy link
Collaborator

I am unable to reproduce this. I tested it on Ubuntu 20.04, using the latest version of 0-27-maintenance (commit 05ec05342e17dc94670db1818447c06d0da8f41a). These are the exact steps that I tried:

git checkout 0.27-maintenance 
mkdir build
cd build
CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
make -j8
./bin/exiv2 ~/Downloads/tests_1bd0a5f4935b053f33ac00f931dde1f47a043487

I do not see any ASAN failures.

@kevinbackhouse
Copy link
Collaborator

Oh, I see. I missed the in parameter.

@clanmills
Copy link
Collaborator

@kevinbackhouse I also missed that on #1529 (comment)

I reproduced #1529 as follows:

.../foo $ ls -l
total 88
-rw-r--r--@ 1 rmills  staff  40609  8 Apr 08:01 tests_83a94b3337206caa6803f625eb63db061395cf14
-rw-r--r--@ 1 rmills  staff      9  8 Apr 08:09 tests_83a94b3337206caa6803f625eb63db061395cf14.exv
.../foo $ exiv2 in tests_83a94b3337206caa6803f625eb63db061395cf14
=================================================================
==52084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b7 at pc 0x00010525f7f4 bp 0x7ffeeab2ed10 sp 0x7ffeeab2ed08
WRITE of size 8 at 0x6020000001b7 thread T0
    #0 0x10525f7f3 in Exiv2::Jp2Image::doWriteMetadata(Exiv2::BasicIo&)+0x2143 (libexiv2.0.27.4.2.dylib:x86_64+0xf27f3)

I believe similar medicine is needed for this issue.

The 'in' command is 'insert'. It reads metadata from tests_xxxxx.exv and updates tests_xxxxx.

@kevinbackhouse
Copy link
Collaborator

@clanmills: when I have fuzzed exiv2 in the past, I did not try any of these extra command line options. So my testing probably didn't hit any of these "encode" methods. So it seems quite plausible that there are several more of these bugs lurking there.

From a security perspective, these command line arguments seem much less interesting to me than vanilla exiv2. I can imagine somebody downloading a untrusted image off the internet and using exiv2 to look at it's metadata. I have a much harder time imagining somebody downloading a pair of untrusted files like this and running exiv2 in ... on them.

@pydera
Copy link
Collaborator

pydera commented Apr 9, 2021

I would still suggest to change the type of 'size' from uint32_t to size_t.

@clanmills
Copy link
Collaborator

As always, Kevin, you are saying smart things. I also missed the unusual/obscure 'in' command.

You will be aware that I was in a state of distress yesterday about those CVEs. However, I've had a nice conversation with @henices. The security folks in China are on our side. Their work will make Exiv2 stronger.

My brain isn't up to thinking about the merits of size_t and uint32_t. I believe the CRW format is 32 bit, so either will work. I would change the one that minimises casts.

@kevinbackhouse
Copy link
Collaborator

@pydera: I think uint32_t is a better choice than size_t for this code. The reason is that the type of CiffComponent::size() is uint32_t, which in turn is because we are parsing a uint32_t from the input file. Introducing size_t here would just add a risk of the code behaving differently on a 64 bit platform compared to 32 bit, for no good reason.

@pydera
Copy link
Collaborator

pydera commented Apr 9, 2021

@kevinbackhouse as far as I can see DataBuf.size() returns 'long' (int64_t on LP64). I did not look deeper into this, but was afraid that it might be possible to handcraft files where a size of >uint32_t-max could be returned and then overflow the uint32_t size.

@kevinbackhouse
Copy link
Collaborator

@pydera: Yes, I agree that size_t would probably be a better choice for DataBuf.size(), rather than long. Unfortunately long is very widely used in this codebase so I think it would be quite a lot of work to switch everything over to size_t. My biggest concern is that long is 32 bits on Windows, so there is a higher risk of an integer overflow on Windows. The good news is that the new in DataBuf's constructor would throw an exception (and terminate the program) if you managed to overflow the size.

@pydera
Copy link
Collaborator

pydera commented Apr 9, 2021

@kevinbackhouse Agreed. My point of view was "just looking at THIS function" without deeper research on CiffComponent, I saw that DataBuf::size() could potentially overflow 'size'. Not looking at CiffComponent I concluded that changing 'size' to size_t would always be a safe choice while uint32_t needs further investigation.
As CiffComponent::size() returns indeed uint32_t we are safe here, but looking at 'this' you could only know by also looking at CiffComponent, whereas size_t would make it clear at first sight.

@henices
Copy link
Author

henices commented Apr 9, 2021

@clanmills: when I have fuzzed exiv2 in the past, I did not try any of these extra command line options. So my testing probably didn't hit any of these "encode" methods. So it seems quite plausible that there are several more of these bugs lurking there.

From a security perspective, these command line arguments seem much less interesting to me than vanilla exiv2. I can imagine somebody downloading a untrusted image off the internet and using exiv2 to look at it's metadata. I have a much harder time imagining somebody downloading a pair of untrusted files like this and running exiv2 in ... on them.

there is another way to exploit these bugs, a single image file is enough.

@henices henices closed this as completed Apr 9, 2021
kevinbackhouse added a commit to kevinbackhouse/exiv2 that referenced this issue Apr 9, 2021
@clanmills clanmills added this to the v0.27.4 milestone Apr 9, 2021
@clanmills clanmills linked a pull request Apr 9, 2021 that will close this issue
@clanmills clanmills modified the milestone: v0.27.4 Apr 9, 2021
@clanmills clanmills reopened this Apr 9, 2021
mergify bot pushed a commit that referenced this issue May 10, 2021
(cherry picked from commit c92ac88)

# Conflicts:
#	tests/bugfixes/github/test_issue_1530.py
clrpackages pushed a commit to clearlinux-pkgs/exiv2 that referenced this issue Jun 17, 2021
…27.4

Alejandro Criado-Pérez (1):
      Added ES translations

Alex Esseling (2):
      add_cr3_tags
      fixing exceptions and reordering tags

Christoph Hasse (10):
      Implement handling of new Nikon LensData version 8.0 and 8.01
      try and  fix ci-build
      try and  fix ci-build 2/N
      try and  fix ci-build 3/N
      add shutter mode and mechanical shutter count to nikon makernote 3
      include test of shutter mode and mech shutter count in lensdata 8 test
      use EXV_PRINT_TAG macro instead of specific print function
      fix formatting
      introduce parseTiff method to parse exif
      run clang-format on new files

Freddie Witherden (2):
      Add support for Sony lens aberration correction parameters.
      Add support for Fuji's CropMode tag.

Ingo Weyrich (1):
      Use a.rfind(b, 0) == 0 instead of a.find(b) == 0 to reduce processing time when checking that a starts wit b, #1459

Jan Tojnar (2):
      cmake: Fix paths with absolute GNUInstallDirs
      cmake: Fix include_directories for exiv2lib target

Kevin Backhouse (26):
      Fix incorrect delete.
      Regression test for Exiv2/exiv2#1530
      Fix integer overflow.
      Fix test name
      Use $kerCorruptedMetadata, rather than hard-coded string.
      Regression test for GHSA-5p8g-9xf3-gfrr
      Improve bound checking in WebPImage::doWriteMetadata()
      Regression test for GHSA-jgm9-5fw5-pw9p
      Better bounds checking in Jp2Image::encodeJp2Header()
      Fix signed/unsigned compiler warnings.
      Regression test for GHSA-8949-hhfh-j7rj
      Add more bounds checks in Jp2Image::encodeJp2Header
      Regression test for GHSA-7569-phvm-vwc2
      Add bounds check in Jp2Image::doWriteMetadata().
      Fix infinite loop caused by subBox with zero size.
      Prevent large allocation.
      Initialize field.
      Use readOrThrow to check error conditions of iIo.read().
      Fix quadratic complexity performance bug.
      Regression test for Exiv2/exiv2#1570.
      Fix out-of-bounds read in bmffimage.cpp
      Stop the test from failing when EXIV2_ENABLE_BMFF=Off.
      Fix signed/unsigned compiler warning.
      Fix signed/unsigned compiler warning.
      Fix LGTM warning about format specifier
      Check that the string is properly terminated.

Lemures Lemniscati (1):
      samples/xmpprint.cpp: Fix typos

LeoHsiao (76):
      Converted two bash test scripts into Python scripts as an example
      Correct ioTest's execution directory
      Rename unit_test and import it in system_tests.py
      Update the documentation for the test cases
      Let bash_test read the configuration parameters from suite.conf
      Rename bash_test to bash_tests
      Wrap shell commands in single quotes
      Rename tests/README.md
      Rename the variable `output` to `out`
      Add default parameter value to the function 'runTest'
      Define a class 'Log' to merge logs into Python exception message
      Rewrite testcase 'addmoddel'
      Add methods setUp() and tearDown()
      Add some functions to replace shell commands: cp, rm, cat, grep, save, diff
      Rewrite testcase 'conversions'
      Rewrite testcase 'crw-test'
      Clear the log buffer after test
      Rewrite testcase 'exifdata-test'
      Add functions: mv, md5sum
      Rewrite testcase 'icc-test'
      Optimize class 'Log' and add class 'Conf'
      Add excute() to replace runTest()
      Optimize cat(), save() and excute() to handle bytes type content
      Rename bash_tests.utils as BT
      Optimize Conf.init() in bash_tests.utils
      Completed test_io()
      Remove copyTestFiles()
      Add class 'Output' to simulate the stdout buffer
      Refactor exiv2-test.sh to test_exiv2()
      Rewrite diff() to simulate the output of GNU diff
      Refactor imagetest.sh to test_image()
      Rename class 'Conf' to 'Config'
      Rename test cases from 'test*()' format to '*test()' format
      Mainly optimize utils.py:
      Add functions: diff_byte(), diffCheck()
      Refactor iptctest.sh to iptc_test()
      Modify printTest(): Ignore the difference of data_dir
      Add environment variables: EXIV2_HTTP, EXIV2_PORT
      Adjust line breaks, binary extension on Windows
      Adjust the format of the command on Windows
      Ignore printTest() output differences on Windows
      Ignore conversions_test() output differences on Windows
      Ignore .vscode
      Deprecated Config.exiv2_ext
      Refactor modify-test.sh to iso65k_test()
      Refactor path-test.sh to path_test()
      Adjust code spacing
      Refactor function execute() to class Executer
      Refactor modify-test.sh to modify_test()
      Add find()
      Refactor preview-test.sh to preview_test()
      Refactor stdin-test.sh to stdin_test()
      Refactor stringto-test.sh to stringto_test()
      Refactor tiff-test.sh to tiff_test()
      Add description for the module lxml
      Refactor version_test.sh to version_test()
      Refactor webp-test.sh to webp_test()
      Optimize diff()
      Refactor write-test.sh to write_test()
      Refactor write2-test.sh to write2_test()
      Refactor xmpparser-test.sh to xmpparser_test()
      Ignore the difference in the path separator for stdin_test
      Fix webp_test: correct a test file name
      Enhance function find(), cp(), rm(), mv()
      add nls_test()
      Fix variable LANG in nls_test()
      Correct the output of exiv2-test
      Fix nls_test(): Check only part of the output
      Supports setting EXIV2_HTTP or EXIV2_PORT to '' to ignore HTTP test
      Support to display the command to execute
      Support variables: DYLD_LIBRARY_PATH, LD_LIBRARY_PATH
      Set the variable EXIV2_ECHO when executing `make python_tests VERBOSE=1`
      let `make python_tests` runs in verbose mode
      Set the default value for the variable VALGRIN to empty
      Cancel adding a newline when testing
      Simplify functions: runTest(), verbose_version()

Leonardo Brondani Schenkel (2):
      Detect Sigma 18-35mm f/1.8 DC HSM (firmware 2.x)
      Make lens name consistent with models 150 and 368

Luis Diaz Mas (1):
      Use check_cxx_compiler_flags instead of C version

Luis Díaz Más (17):
      Use ctime instead of time.h
      Assume existence of stdint.h
      Move winsock2 inclusion to http.cpp
      WIN32_LEAN_AND_MEAN propagated with exiv2lib target
      Include winsock2 at the beginning of http.cpp
      Revert "change implementation of Exiv2::base64encode() to adopt implementation from same URL as base64decode()."
      Hide exiv2-xmp dependency in CMake config file:
      Use latest available version of Conan in CI
      Hide zlib absolute path in cmake config file
      Adding Ubuntu 18.04 & 20.04 to travis builds
      CI: Special packages for Ubuntu 20.04
      CI: Fix how we pass CMake options in travis
      Modify strncpy0 to avoid warning
      ci: use always pip3 for installing conan
      ci: Use same travis jobs as in main (drop Ubuntu 16.04)
      New mergify config file to forward changes to main
      ci-travis: trying to fix valgrind build

Miloš Komarčević (40):
      Remove EXIV2_EXT variable references
      Remove remaining vestiges of binary_extension
      Add more easy accessors for Exif & TIFF/EP overlap
      Add DateTimeOriginal to easyaccess
      Test cover for added easyaccess methods
      Fix easyaccess-test
      Preserve trailing space in test_easyaccess.py output
      Fix CanonFi typo in man page
      exiv2 pr uses easyaccess API (co-authored with clanmills)
      actions: simplify print summary using easyaccess
      Add some DNG related tag values
      Fix syntax error, improve value name style
      Add DNG CFALayout values
      Also use existing light source pretty print for DNG
      Update CalibrationIlluminant test
      Add remaining DNG 1.3 tag values
      Minor DNG related changes after review
      Moved ambient tags to Exif only list, other refactoring
      Complete DNG 1.4 spec support
      Fix Pana tag typo and improve Fuji tag description
      Add DNG 1.5 tags and values
      Promote remaining SHORT/LONG tags default type
      Pretty print PlanarConfig
      Add DNG 1.6 support
      Add DNG 1.6 test
      Fix MinGW build for Ninja generator
      Adding DNG 1.6 triple-illuminant calibration tags
      Include HEIC type in docs
      Minor whitespace formatting
      Revert style changes
      Terminate empty ASCII strings as well
      Include HEIC type explicitly
      Add comment and test case
      Include a few more BMFF major brands
      Add mif1 brand to heif mime type
      Replace tabs to fix indentation issues
      Fix readme typo
      Check for symlinks when uninstalling
      Match closing statement, doh
      Update bmffimage.hpp include order and path (#1648)

Olli Lupton (2):
      Add LensType entry for Olympus M.Zuiko Digital ED 17mm F1.2 Pro lens.
      Add a test for PR 1375, checking the Olympus 17mm f/1.2 Pro lens is recognised correctly.

Peter Kovář (17):
      [WIP] Add ISO/IEC Base Media File Format
      Small corrections
      [WIP] Added box types
      [WIP] Base Media File Format
      [WIP] Redefine tags
      [WIP] Another try
      [WIP] Correction
      [WIP] 64-bit length
      [WIP] Correction to make Travis CI happy
      [WIP] Yet another type cast correction to make Travis CI happy
      [WIP] Fixed Image Spatial Extents Property Handling
      Corrected format string
      Add CR3 image dimensions
      Update README.md
      Add artist tag
      Revert "Add artist tag"
      Remove executable bits from test data files

Pydera (1):
      Fix out of buffer access in #1529

Robin Mills (179):
      fix_1236_0.27
      Reverting changes to test/icc-test.sh for investigation.
      Fix correctly this time and tested with the user files.  Test suite updated to use Reagan2.jp2
      Fixed typo declaration of pad when writing ICC profile.
      Update icc-test.out
      Disable libiconv support when building with Visual Studio.
      fix_1266_GPSProcessingMethod
      fix_1268_GPSProcessingMethod
      fix_solaris_stack_protection_0.27
      fix_solaris_stack_protection_0.27
      fix_1297_crwtest_linux_coverage  This is a copy of master/.travis.yml to see what happens on the CI.
      fix_cygwin_stack_protection_0.27
      Second effort to unexpose winsock2.h from include <exiv2/exiv2.hpp> using EXIV2_BUILDING_EXIV2 mechanism.
      Updated reference output.  Well spotted, @piponazo.
      Fixing previous incorrect commit.
      fix_1353_mingw_toolchain_0.27
      Exiv2/exiv2#1356 (comment)
      fix_1393_iptc_tags_web_0.27
      I hope I've made a better job of this at this attempt.  I don't thing the "section" enum is of much importance.  I don't believe anything in particular is done with with it.
      Fix tag GPSHPositioningError to use printValue() pretty-printer.
      Clarified definition and use of enum SectionId @kmilos: please review/approve.
      Documentation revision in response to #1394
      New profiles as documented in README-CONAN.md
      Add ribbon to README-SAMPLES.md.  Fixing typos.
      Moved orphaned declaration of exifGPSDirRef.
      Documented exiv2lib_export.h
      Update script cmd64.bat following review by @tester0077
      I hope this is the final change to this PR.
      WIP #1402  rafimage::printStructure() improved formatting.
      bumpRevision_0.27.4.9
      WIP: working to understand how to support tiffIfd in tiffvisitor_int.cpp
      Remove debugging code.
      Add FujiIFD to TiffCreator::tiffGroupStruct_
      Success.  It's working!
      Code/comment tidy.
      Add to test harness.
      Fix significant typo in cmd64.bat
      Pointless change to trigger CI to build again.
      Hoping for CI Contentment!
      Calming Test Suite concerning Continuous and CropMode confusion.
      fix_1431_binary_comment.
      appveyor_mingw_0.27
      Changed APPVEYOR_BUILD_WORKER_IMAGE
      Try again.
      One more time.
      And another go.
      Getting better.
      Modify the path.
      Might build this time.
      Fix typo.
      Run python_tests.
      Reformmated.
      Try again!
      Debugging mingw.yml
      Last change, I hope.
      And another try.
      And another.
      Debugging mingw.yml
      Debugging mingw.yml
      More debugging.
      Debugging
      More debugging.
      Only run python_tests
      Try to build using Cygwin/64
      Debugging cygwin/64
      Cygwin
      Cygwin: Add zlib and expat to install
      Cygwin/64 install depedencies.
      libexpat-devel
      Use C++98 and run python tests.
      Install pip
      Trying to get pip to install.
      Com'on pip3.
      Install libxml2 and libxslt
      python38-libxml2
      Build and test both MinGW/msys2 and Cygwin64
      Fix matrix syntax.
      Try again.
      Build Cygwin and MinGW in parallel.
      Try again.
      Fixing typo
      Rename appveyor configuration file.
      Modified install to only install what's required for BUILD
      Restored 0.27.2 "toString()" behaviour of Exifdatum.value().toString() for CommentValue.
      Fixing test suite.
      Revert "Fixing test suite."
      Revert "fix_1431_binary_comment."
      Revert "Restored 0.27.2 "toString()" behaviour of Exifdatum.value().toString() for CommentValue."
      Revert "Revert "fix_1431_binary_comment.""
      Add test image.
      Add test script.
      Enhanced documentation formatting.
      Fixing test suite.  I've explained the changes in a note in the PR.
      Fix image handler to give jp2image code higher priority than the next isobmff code.
      Rename class ISOBMFF => class bmffImage to match other image handlers.  Removed C++11 style code.  Removed unused code.
      Fixing Linux build/test issues.
      Fix Linux build-breaker when ENABLE_ISOBMFF=False and EXIV2_TEAM_WARNINGS_AS_ERRORS=On
      Modified ci/install.sh to install cmake before dependencies.
      fix_1464_sony2010e Fix c++ code
      fix_1464_sony2010e Add test file and test script
      fix_1464_sony2010e test script
      fix_1471_sony2010_0.27
      Test suite update.
      Change test suite timeout.
      C++ simplification.
      WIP: Refactored readMetadata() into recursive boxHandler()
      Fixing a build breaker.
      Fix linux/CI build breaker.
      Fix msvc/CI build breakers.
      Fix linux/CI build breaker.
      Fixing warnings from LGTM/CI.
      More fixes for LGTM/CI warnings.
      WIP: Added class Iloc and related code.
      Fixed recursion issue in the meta box.
      Tidying up. 1. pixelHeight_. 2. refactored indenter() -> indent(). 3. EXIV2_DEBUG_MESSAGES outputs to std::cerr
      Updating .gitignore.
      Parse Exif in .HEIC/.AVIF
      Cleanup.  1. Recursively process uuid/cano box. 2. Fix LGTM/CI sprintf grumbles. 3. Comment parseTiff() in bmffimage.hpp.
      Tidy up.  Rename Tag::cr3_exif -> Tag:cmt2
      Revised following code review by @hassec.  Thank You, Christoph.
      Remove bmffimage::printStructure() as discussed in review with @hassec.  Corpse removal and cleanup in bmpfimage.hpp
      Added parseXmp() to parse Xmp metadata.
      Fix .CR3 files to call parseXmp().
      Rename test image.
      WIP: adding BmffImage::printStructure() and support for colr box.
      Cosmetic change to -pR/-pS output.
      Adding HIF tests.
      Fix MSVC build breaker and modify test_pr_1475_HIF.py to run on Windows.
      Renamed a test file.
      Test suite updates.
      Add SECURITY.md and reference it from the Security Tab in the GitHub Web UI.
      Following review by @hassec, I use static base64_encoding vector in both Exiv2::base64encode() and Exiv2::base64decode().
      Move system_tests.runTest() and system_tests.verbose_version() to system_tests.BT
      fix_1486_effort2 Exiv2/exiv2#1486 (comment)
      use raise from test_pr1475*.py
      Add unit_tests to suite.conf
      Add python scripts equivalent to test/version_test.sh and unit_test.sh
      Refactor CMakeList.txt to run all tests using tests/runner.py
      Add test/ReadMe.txt
      Fix typos.
      Fix comments.
      Fix LD_LIBRARY_PATH.  Add option arg raw=False to runTest()   Use raw=True in unit_test.py.
      Sniff for unit_tests.exe!
      Better logic and error message.
      exiv2_v27_4_rc1
      exiv2 --verbose --version was reporting have_strerror_r twice!
      Massive code prolog cleanup.
      Exiv2 v0.27.4 RC1 Preview.
      v27_4_rc1_effort2
      Updated the user documents.  Most changes relate to running the test suite.
      Add optional parameter forgive=False to reportTest() for use by nls_test to avoid false fails.
      Downgrade version to 0.27.4.10 = 0.27.4 RC1 Preview.
      Fixing typos.
      Bump revision number to Exiv2 v0.27.4 RC1.  PR will be marked for review.
      Clarify bmff suppport as readonly.
      Set LD_LIBRARY_PATH to run bundled bin/exiv2.
      Push change in PR #1500.  Thank you @kmilos.
      Update releasenotes.txt with more credit for Milos (and trigger macOS/CI which is red).  All platform build on MacMini.
      fix_1507_avif_size0x0
      Documentation Update (as discussed in #1508)
      Use the documented 5 line prolog in every sample application.  Tidy up sample prologs and header code.
      fix_1508_enableBMMF_effort2
      Add test script.
      fix_1504_metacopy_optstring
      fix_1503_JXL_bmff
      Added test file and script.
      Fix build breaker in test_issue_1503.py.
      fix_1522_jp2image_exif_asan
      test fix_1522_jp2image_exif_asan
      update_README_localisation
      v0.27.4RC2
      v0.27.4 RC2 Release Notes.
      bump_release_number_0.37.4.39
      fix_enableBMFF
      Bump version number.
      Update releasenotes.txt
      update changelog
      fix_broken_man_page
      v0.27.4

Thomas Petazzoni (1):
      Properly detect availability of flags in cmake/compilerFlags.cmake (#1252)

clanmills (78):
      fix_1276_BUILD_PO_0.27
      Do not build WebReady with Visual Studio.
      Build with C++11
      Disable coverage (see #1297)
      Tweak conversion.sh for TZ conversion error in MSVC.
      Fix #1300
      Use ubuntu on CI
      Remove .. from CMAKE_OPTIONS.
      -CMAKE_CXX_STANDARD=98 and Disable UNIT_TESTS.
      Simplify ci/run.sh
      Don't use ASAN on CI.
      -DCMAKE fix.  Thanks @piponazo
      Disable Fedora/CentOS/Archlinux on gitlab/CI.
      fix 1307 ASAN issues with RemoteIo
      fix_1329_remove_bigtiff_0.27
      Remove bigtiffimage.hpp from include/exiv2/CMakeLists.txt
      Fix: https://travis-ci.org/github/Exiv2/exiv2/jobs/730867927
      run_stdin-test.sh_0.27
      fix_1335_winsock2_0.27
      pythonic_bash_ci_0.27
      temporarily disable stdin-test and webp-test to get the CI operational again.
      nls-test script and reference file.
      Makefile updated to run nls-test.sh as part of bash_tests
      Adding test files to test suite.
      Script and reference file changes.
      Adding test files and bash script/reference-output
      Code changes
      C++ changes requested by @piponazo.  Fix python png_test() recommended by @LeoHsiao1.  Update reference output.
      Enable CentOS on gitLab-ci.
      Adding test files to test suite.
      Script and reference file changes.
      Temporarily neuter DEXIV2_TEAM_USE_SANITIZERS to get CentOS to build.
      Revert the last two changes.  GitLab/centOS makes no sense.  Will build on MacMini.
      Fix compiling http.cpp and reinstate centOS on gitLab.
      Disable centOS on CI.  The web-server goes crazy althought this doesn't happen in the terminal on centOS.
      Fixing variable LANG
      replace base64encode in src/futils.cpp
      change implementation of Exiv2::base64encode() to adopt implementation from same URL as base64decode().
      Add +x (execute) attribute to shell scripts.
      Fix handling of environment string VERBOSE
      Don't set --verbose in makefile.  Don't treat exiv2_echo == VERBOSE.
      Fixing VERBOSE in environment (args.verbose==2 when set.  args.verbose==0 when not set).
      Fixing EXIV2_PORT on MinGW/msys2.
      Disable OpenSUSE on CI.  It's complaining about being unable to install the correct version of curl.
      Adding support for environment strings EXIV2_HTTP and EXIV2_PORT
      Adding support for VALGRIND and EXIV2_BINDIR
      Disable exiv2 option --binary
      Adding python test
      Updating man page.
      fix_929_exif2.31_0.27
      Fix python test breaker
      Fixing exiv2-test.sh message when test/tmp is empty.
      Adding test images.
      Changed CI build default -DEXIV2_ENABLE_BMFF=On.  Fixed suite to run with/without bmff.  -pS and -pR same for bmff.
      Added 2.19 Support for bmff files
      Updated for bmff.
      Re-awaken obsolete command-line argument --binary and store class Task.
      refactored setModeAndPrintStructure() to respect class Task.binary_ when printing ICC profiles.
      Minor corrections and clarification concerning enableBMFF().
      Fix box.length == to use bigEndian decode!  Fix toAscii() to emit on ascii 32-127 bytes.
      Test suite update.
      With good fortune, bmffimage is ready for review.
      Replaced the ugly code in Exiv2::base64encode() and update the test suite.
      Fix Linux build breakers.
      Replaced Exiv2::base64encode() because last effort failed unit test on msvc.
      This should be it.  Test suite fixed.
      Trick to avoid msvc issue with final line of base64 data.
      Fix ICC profile handling (my bad, iOS files are correct).
      Restoring i < dataLength trigraph that I should not have removed.
      Restore -pC --binary to output everything.  Test suite updated to suit.
      Fix #1358.  This should be in a different PR.  Keep changes to base64 encode/decode together.
      Another effort to fix base64decode and associated unit test.
      Updated to adopt Review suggestions by @kmilos.  Thank You, Milos.
      Fix msvc build breaker.
      Thank You @piponazo for the code review.  I've made the changes you requested.
      Following review by @piponazo, I am clarifying the bool return from Exiv2::enableBMFF().
      fix_1473_LocationShown
      Exiv2/exiv2#1486 (comment)

czgnp (3):
      Update canonmn_int.cpp
      and a test case for Python
      and the test files

evanokeeffe (1):
      found a bug in metacopy, the -x parameter wasn't in the optstring. rectified that

hanno@schwalm-bremen.de (3):
      Adding support for DefaultUserCrop and BaselineExposureOffset
      Fix typo and remove empty line.
      Revert exv commit and remove empty line.

postscript-dev (7):
      Add missing "Xmp" to project description
      Update PACKAGE_URL and PROJECT_DESCRIPTION text
      Fix langAltValue::read() parsing
      Add static to LangAltValue::read() const values
      Change LangAltValue::read() tests to unitTests
      Fix spelling mistakes in LangAltValue::read()
      Update exiv2 man page - langAlt format

tbeu (1):
      Fix write ability flags of PSD files (#1260)
@fgeek
Copy link

fgeek commented Aug 6, 2021

CVE-2021-31292 has been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants