[0.26] try backporting fixes for CVE-2018-{12264,12265} #398

vcunat · 2018-08-04T17:33:04Z

I tried backporting the missing CVE commits from #365 and #366, but someone actually knowing this project's code should have a look. Perhaps @D4N?

Add offset_ and size_... had only a trivial conflict around the includes, so I haven't really read it properly.
Fix addition overflows... wasn't so trivial, as the code in the second hunk has changed a bit.

Several checks for extracted values performed no overflow checks on the addition. They can be tricked into passing, albeit the individual summands are too large. => use Safe::add() which now aborts when an overflow occurs This fixes Exiv2#366 (cherry picked from commit fe70939)

offset_ can become arbitrarily large and overflows once its added to size_, this causes all kinds of problems further in the code when offset_ is used again. => Use Safe::add() to catch potential overflows This fixes Exiv2#365. (cherry picked from commit 937a1a2)

D4N · 2018-08-05T07:31:15Z

Please also try to cherry-pick the following commits:

They add the reproducers to the test suite, surround the exiv2-cli program with a try {..} catch {..} block and fix the test names.

It effectively looks the same as before, only now we don't call abort() but instead clean up everything gracefully. (cherry picked from commit f4e8ed2)

(cherry picked from commit 9b08354)

(cherry picked from commit b517f2e)

Issues got a CVE assigned (cherry picked from commit e67910a)

vcunat · 2018-08-05T15:38:59Z

OK, added. Only trivial conflicts in there.

I wasn't able to run make tests; it seems I'm missing something about how they should be run...

The testsuite now uses python's template module for string substitutions which allows for a more natural substitution syntax known from the shell. Also, it allows to run the substitutions multiple times, which is not possible with string.format(). The heavy-lifting is now performed via a metaclass, which expands all variables on the class creation. (cherry picked from commit bd9d085)

vcunat · 2018-08-05T16:19:32Z

OK, by misusing travis I fixed the tests somehow, though I imagine you may very likely prefer a different way :-)

D4N

Thanks for your work!

D4N added 2 commits August 4, 2018 19:18

D4N added 4 commits August 5, 2018 17:16

Catch all exceptions not caught in exiv2 cli-tool

ca78c4b

It effectively looks the same as before, only now we don't call abort() but instead clean up everything gracefully. (cherry picked from commit f4e8ed2)

Add reproducer for Exiv2#365 to the testsuite

d64dcf4

(cherry picked from commit 9b08354)

Add regression test for Exiv2#366 to the testsuite

65f1fcb

(cherry picked from commit b517f2e)

[tests] Change name of test for Exiv2#365 and Exiv2#366

10f6128

Issues got a CVE assigned (cherry picked from commit e67910a)

vcunat force-pushed the 0.26-cve-roundup-46 branch from 10f6128 to 65f1fcb Compare August 5, 2018 15:46

D4N and others added 2 commits August 5, 2018 17:53

[tests] Hack-fix the two CVE tests after cherry-picking

1ac7664

D4N approved these changes Aug 11, 2018

View reviewed changes

D4N merged commit e7ffd83 into Exiv2:0.26 Aug 11, 2018

vcunat deleted the 0.26-cve-roundup-46 branch August 11, 2018 12:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[0.26] try backporting fixes for CVE-2018-{12264,12265} #398

[0.26] try backporting fixes for CVE-2018-{12264,12265} #398

vcunat commented Aug 4, 2018

D4N commented Aug 5, 2018

vcunat commented Aug 5, 2018

vcunat commented Aug 5, 2018

D4N left a comment

[0.26] try backporting fixes for CVE-2018-{12264,12265} #398

[0.26] try backporting fixes for CVE-2018-{12264,12265} #398

Conversation

vcunat commented Aug 4, 2018

D4N commented Aug 5, 2018

vcunat commented Aug 5, 2018

vcunat commented Aug 5, 2018

D4N left a comment

Choose a reason for hiding this comment