Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

exiv2: fix security issues #122511

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions pkgs/development/libraries/exiv2/CVE-2021-29470_2.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
From 4ffde8cb998cb62f4291a264225b9f274feb7002 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 21 Apr 2021 12:06:04 +0100
Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header

---
src/jp2image.cpp | 3 +++
src/jp2image.cpp.rej | 18 ++++++++++++++++++
2 files changed, 21 insertions(+)
create mode 100644 src/jp2image.cpp.rej

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 0961203e..475439d1 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -648,13 +648,16 @@ static void boxes_check(size_t b,size_t m)
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
int32_t length = getLong((byte*)&pBox->length, bigEndian);
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
int32_t count = sizeof (Jp2BoxHeader);
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;

while ( count < length || !bWroteColor ) {
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;

// copy data. pointer could be into a memory mapped file which we will decode!
diff --git a/src/jp2image.cpp.rej b/src/jp2image.cpp.rej
new file mode 100644
index 00000000..43699f20
--- /dev/null
+++ b/src/jp2image.cpp.rej
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably shouldn't be here, should it?

@@ -0,0 +1,18 @@
+diff a/src/jp2image.cpp b/src/jp2image.cpp (rejected hunks)
+@@ -648,13 +648,16 @@ static void boxes_check(size_t b,size_t m)
+ DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
+ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ uint32_t count = sizeof (Jp2BoxHeader);
+ char* p = (char*) boxBuf.pData_;
+ bool bWroteColor = false ;
+
+ while ( count < length || !bWroteColor ) {
++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+ Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+ // copy data. pointer could be into a memory mapped file which we will decode!
--
2.31.1

51 changes: 51 additions & 0 deletions pkgs/development/libraries/exiv2/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,57 @@ stdenv.mkDerivation rec {
url = "https://github.com/Exiv2/exiv2/commit/306c8a6fd4ddd70e76043ab255734720829a57e8.patch";
sha256 = "0D/omxYxBPGUu3uSErlf48dc6Ukwc2cEN9/J3e7a9eU=";
})
# https://github.com/Exiv2/exiv2/pull/1523
(fetchpatch {
name = "CVE-2021-3482_1.patch";
url = "https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da.patch";
sha256 = "0z9hcywjzb2q3yh3kkvjcg70rz3l7vgqjhk1h9wn291ys0jc2yxm";
})
(fetchpatch {
name = "CVE-2021-3482_2.patch";
url = "https://github.com/Exiv2/exiv2/commit/cac151ec052d44da3dc779e9e4028e581acb128a.patch";
sha256 = "1jyh0almvbg47c7i46hk9vg05v1r6mzc89xc7y6d8zcrvhyra0wk";
})

# https://github.com/Exiv2/exiv2/pull/1534
(fetchpatch {
name = "CVE-2021-29457.patch";
url = "https://github.com/Exiv2/exiv2/commit/13e5a3e02339b746abcaee6408893ca2fd8e289d.patch";
sha256 = "19nkdpn7jdm1rp8na68djzrl6rxdl1n5n4974ypazpmqr04x0j79";
})
# https://github.com/Exiv2/exiv2/pull/1539
(fetchpatch {
name = "CVE-2021-29458_1.patch";
url = "https://github.com/Exiv2/exiv2/commit/0a91b56616404f7b29ca28deb01ce18b767d1871.patch";
sha256 = "0ryjp2pzlj5h79q67y7az91yhmdqhdpgdg3mlc2qdamsqdp29m2b";
})
(fetchpatch {
name = "CVE-2021-29458_2.patch";
url = "https://github.com/Exiv2/exiv2/commit/c92ac88cb0ebe72a5a17654fe6cecf411ab1e572.patch";
sha256 = "1g7xm7mkr01lvd4d0hikswxbdmb5q2ihw4ddxhc0shsg3lkv3zqp";
})
(fetchpatch {
name = "CVE-2021-29458_3.patch";
url = "https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0.patch";
sha256 = "0a8xqmh97q7gj727yz4gbrzh5jsmlg2a45fjfl3wychpwbn7dqlc";
})
(fetchpatch {
name = "CVE-2021-29458_4.patch";
url = "https://github.com/Exiv2/exiv2/commit/fadb68718eb1bff3bd3222bd26ff3328f5306730.patch";
sha256 = "1hx6jf17if4afrz9halky7rlpvmgvysd46bby3zk6hipv8s8bk6h";
})
(fetchpatch {
name = "CVE-2021-29458_5.patch";
url = "https://github.com/Exiv2/exiv2/commit/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d.patch";
sha256 = "1mh4ww2rj3a2kd0i2510zgv2n72wd0p3j1xd735ndp85fzvw4n3z";
})
# https://github.com/Exiv2/exiv2/pull/1581
(fetchpatch {
name = "CVE-2021-29470_1.patch";
url = "https://github.com/Exiv2/exiv2/commit/6527e4f5979ced22d509e27d87d51287046f2008.patch";
sha256 = "0djh19xvn7p9bn06flznjw3xsjpmn10cdxwqq9xgh5k4f6ic4fz1";
})
./CVE-2021-29470_2.patch # rebased on top of v0.27.3
];

nativeBuildInputs = [
Expand Down