diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog --- libexif-0.6.21/debian/changelog 2020-05-11 16:50:50.000000000 +0000 +++ libexif-0.6.21/debian/changelog 2020-06-08 14:55:38.000000000 +0000 @@ -1,3 +1,43 @@ +libexif (0.6.21-6ubuntu0.3) focal-security; urgency=medium + + * SECURITY UPDATE: Out of bounds read + - debian/patches/CVE-2020-0093.patch: fix read + buffer overflow making sure the number of bytes being + copied from does not exceed the source buffer size in + libexif/exif-data.c. + - CVE-2020-0093 + * SECURITY UPDATE: Out of bounds read + - debian/patches/CVE-2020-13112.patch: fix MakerNote tag size + overflow check for a size overflow while reading tags in + libexif/canon/exif-mnote-data-canon.c, + libexif/fuji/exif/mnote-data-fuji.c, + libexif/olympus/exif-mnote-data-olympus.c, + libexif/pentax/exif-mnote-data-pentax.c. + - CVE-2020-13112 + * SECURITY UPDATE: Possibly crash and potential use-after-free + - debian/patches/CVE-2020-13113.patch: ensures that an uninitialized + pointer is not dereferenced later in the case where the number of + components is 0 in libexif/canon/exif-mnote-data-canon.c, + libexif/fuji/exif-mnote-data-fuji.c, + libexif/olympus/exif-mnote-data-olympus.c, + libexif/pentax/exif-mnote-data-pentax. + - CVE-2020-13113 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2020-13114.patch: add a failsafe on the + maximum number of Canon MakerNote subtags in + libexif/canon/exif-mnote-data-canon.c. + - CVE-2020-13114 + * SECURITY UPDATE: Out of bounds read + - debian/patches/CVE-2020-0182.patch: fix a buffer read + overflow in exif_entry_get_value in libexif/exif-entry.c. + - CVE-2020-0182 + * SECURITY UPDATE: Integer overflow + - debian/patches/CVE-2020-0198.patch: fix unsigned integer overflow + in libexif/exif-data.c. + - CVE-2020-0198 + + -- Leonidas S. Barbosa Mon, 08 Jun 2020 11:55:38 -0300 + libexif (0.6.21-6ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: Divinding by zero vulnerability diff -Nru libexif-0.6.21/debian/patches/CVE-2020-0093.patch libexif-0.6.21/debian/patches/CVE-2020-0093.patch --- libexif-0.6.21/debian/patches/CVE-2020-0093.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-0093.patch 2020-06-08 14:33:06.000000000 +0000 @@ -0,0 +1,34 @@ +From 5ae5973bed1947f4d447dc80b76d5cefadd90133 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 16 May 2020 16:47:42 +0200 +Subject: [PATCH] libexif: Fix read buffer overflow (CVE-2020-0093) + +Make sure the number of bytes being copied from doesn't exceed the +source buffer size. + +From Android repo: +https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6%5E%21/#F0 + +Test: testPocBug_148705132 +Bug: 148705132 + +fixes https://github.com/libexif/libexif/issues/42 +--- + libexif/exif-data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 6332cd1..65ae93d 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -308,7 +308,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, + /* Write the data. Fill unneeded bytes with 0. Do not crash with + * e->data is NULL */ + if (e->data) { +- memcpy (*d + 6 + doff, e->data, s); ++ unsigned int len = s; ++ if (e->size < s) len = e->size; ++ memcpy (*d + 6 + doff, e->data, len); + } else { + memset (*d + 6 + doff, 0, s); + } diff -Nru libexif-0.6.21/debian/patches/CVE-2020-0182.patch libexif-0.6.21/debian/patches/CVE-2020-0182.patch --- libexif-0.6.21/debian/patches/CVE-2020-0182.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-0182.patch 2020-06-08 14:55:38.000000000 +0000 @@ -0,0 +1,34 @@ +From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Wed, 4 Jul 2018 11:06:09 +0200 +Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value + +While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past +the end of a heap buffer. This was detected by the OSS Fuzz project. +Patch from Google. + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543 +--- + libexif/exif-entry.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libexif-0.6.21/libexif/exif-entry.c +=================================================================== +--- libexif-0.6.21.orig/libexif/exif-entry.c ++++ libexif-0.6.21/libexif/exif-entry.c +@@ -1043,12 +1043,12 @@ exif_entry_get_value (ExifEntry *e, char + d = 0.; + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); +- if (entry && entry->data && ++ if (entry && entry->data && entry->size >= 7 && + !strncmp ((char *)entry->data, "Minolta", 7)) { + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], + EXIF_TAG_MODEL); +- if (entry && entry->data) { ++ if (entry && entry->data && entry->size >= 8) { + if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) + d = 3.9; + else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) diff -Nru libexif-0.6.21/debian/patches/CVE-2020-0198.patch libexif-0.6.21/debian/patches/CVE-2020-0198.patch --- libexif-0.6.21/debian/patches/CVE-2020-0198.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-0198.patch 2020-06-08 14:55:38.000000000 +0000 @@ -0,0 +1,58 @@ +From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Mon, 8 Jun 2020 17:27:06 +0200 +Subject: [PATCH] fixed another unsigned integer overflow + +first fixed by google in android fork, +https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 + +(use a more generic overflow check method, also check second overflow instance.) + +https://security-tracker.debian.org/tracker/CVE-2020-0198 +--- + libexif/exif-data.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 8b280d3..b495726 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -47,6 +47,8 @@ + #undef JPEG_MARKER_APP1 + #define JPEG_MARKER_APP1 0xe1 + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00}; + + struct _ExifDataPrivate +@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); + return; + } +- if (s > ds - o) { ++ if (CHECKOVERFLOW(o,ds,s)) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + } + + /* Read the number of entries */ +- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { ++ if (CHECKOVERFLOW(offset, ds, 2)) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Tag data past end of buffer (%u > %u)", offset+2, ds); ++ "Tag data past end of buffer (%u+2 > %u)", offset, ds); + return; + } + n = exif_get_short (d + offset, data->priv->order); +@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + offset += 2; + + /* Check if we have enough data. */ +- if (offset + 12 * n > ds) { ++ if (CHECKOVERFLOW(offset, ds, 12*n)) { + n = (ds - offset) / 12; + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Short data; only loading %hu entries...", n); diff -Nru libexif-0.6.21/debian/patches/CVE-2020-13112.patch libexif-0.6.21/debian/patches/CVE-2020-13112.patch --- libexif-0.6.21/debian/patches/CVE-2020-13112.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-13112.patch 2020-06-08 14:55:19.000000000 +0000 @@ -0,0 +1,299 @@ +Backported of: + +From 435e21f05001fb03f9f186fa7cbc69454afd00d1 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 16 May 2020 17:32:28 +0200 +Subject: [PATCH] Fix MakerNote tag size overflow issues at read time. + +Check for a size overflow while reading tags, which ensures that the +size is always consistent for the given components and type of the +entry, making checking further down superfluous. + +This provides an alternate fix for +https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 and for all +the MakerNote types. Likely, this makes both commits 41bd0423 and +89e5b1c1 redundant as it ensures that MakerNote entries are well-formed +when they're populated. + +Some improvements on top by Marcus Meissner + +CVE-2020-13112 +diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c +index 636f77b..95c2e14 100644 +--- a/libexif/canon/exif-mnote-data-canon.c ++++ b/libexif/canon/exif-mnote-data-canon.c +@@ -30,6 +30,8 @@ + #include + #include + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + #define DEBUG + + static void +@@ -209,7 +211,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + return; + } + datao = 6 + n->offset; +- if ((datao + 2 < datao) || (datao + 2 < 2) || (datao + 2 > buf_size)) { ++ if (CHECKOVERFLOW(datao, buf_size, 2)) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteCanon", "Short MakerNote"); + return; +@@ -233,7 +235,8 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + tcount = 0; + for (i = c, o = datao; i; --i, o += 12) { + size_t s; +- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) { ++ ++ if (CHECKOVERFLOW(o,buf_size,12)) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteCanon", "Short MakerNote"); + break; +@@ -248,6 +251,16 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + "Loading entry 0x%x ('%s')...", n->entries[tcount].tag, + mnote_canon_tag_get_name (n->entries[tcount].tag)); + ++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection, ++ * we will check the buffer sizes closer later. */ ++ if ( exif_format_get_size (n->entries[tcount].format) && ++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components ++ ) { ++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteCanon", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components); ++ continue; ++ } ++ + /* + * Size? If bigger than 4 bytes, the actual data is not + * in the entry but somewhere else (offset). +@@ -264,7 +277,8 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + } else { + size_t dataofs = o + 8; + if (s > 4) dataofs = exif_get_long (buf + dataofs, n->order) + 6; +- if ((dataofs + s < s) || (dataofs + s < dataofs) || (dataofs + s > buf_size)) { ++ ++ if (CHECKOVERFLOW(dataofs, buf_size, s)) { + exif_log (ne->log, EXIF_LOG_CODE_DEBUG, + "ExifMnoteCanon", + "Tag data past end of buffer (%lu > %u)", +diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c +index 7340e98..218196c 100644 +--- a/libexif/fuji/exif-mnote-data-fuji.c ++++ b/libexif/fuji/exif-mnote-data-fuji.c +@@ -28,6 +28,8 @@ + + #include "exif-mnote-data-fuji.h" + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + struct _MNoteFujiDataPrivate { + ExifByteOrder order; + }; +@@ -162,16 +164,16 @@ exif_mnote_data_fuji_load (ExifMnoteData *en, + return; + } + datao = 6 + n->offset; +- if ((datao + 12 < datao) || (datao + 12 < 12) || (datao + 12 > buf_size)) { ++ if (CHECKOVERFLOW(datao, buf_size, 12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataFuji", "Short MakerNote"); + return; + } + + n->order = EXIF_BYTE_ORDER_INTEL; ++ + datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL); +- if ((datao + 2 < datao) || (datao + 2 < 2) || +- (datao + 2 > buf_size)) { ++ if (CHECKOVERFLOW(datao, buf_size, 2)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataFuji", "Short MakerNote"); + return; +@@ -195,7 +197,8 @@ exif_mnote_data_fuji_load (ExifMnoteData *en, + tcount = 0; + for (i = c, o = datao; i; --i, o += 12) { + size_t s; +- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) { ++ ++ if (CHECKOVERFLOW(o, buf_size, 12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataFuji", "Short MakerNote"); + break; +@@ -210,6 +213,15 @@ exif_mnote_data_fuji_load (ExifMnoteData *en, + "Loading entry 0x%x ('%s')...", n->entries[tcount].tag, + mnote_fuji_tag_get_name (n->entries[tcount].tag)); + ++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection, ++ * we will check the buffer sizes closer later. */ ++ if ( exif_format_get_size (n->entries[tcount].format) && ++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components ++ ) { ++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteDataFuji", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components); ++ continue; ++ } + /* + * Size? If bigger than 4 bytes, the actual data is not + * in the entry but somewhere else (offset). +@@ -221,8 +233,8 @@ exif_mnote_data_fuji_load (ExifMnoteData *en, + if (s > 4) + /* The data in this case is merely a pointer */ + dataofs = exif_get_long (buf + dataofs, n->order) + 6 + n->offset; +- if ((dataofs + s < dataofs) || (dataofs + s < s) || +- (dataofs + s >= buf_size)) { ++ ++ if (CHECKOVERFLOW(dataofs, buf_size, s)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataFuji", "Tag data past end of " + "buffer (%lu >= %u)", (unsigned long)(dataofs + s), buf_size); +diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c +index efa0525..3b1ad41 100644 +--- a/libexif/olympus/exif-mnote-data-olympus.c ++++ b/libexif/olympus/exif-mnote-data-olympus.c +@@ -28,6 +28,8 @@ + #include + #include + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + #define DEBUG + + /* Uncomment this to fix a problem with Sanyo MakerNotes. It's probably best +@@ -247,7 +249,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + return; + } + o2 = 6 + n->offset; /* Start of interesting data */ +- if ((o2 + 10 < o2) || (o2 + 10 < 10) || (o2 + 10 > buf_size)) { ++ if (CHECKOVERFLOW(o2,buf_size,10)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataOlympus", "Short MakerNote"); + return; +@@ -303,6 +305,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + /* Olympus S760, S770 */ + datao = o2; + o2 += 8; ++ if (CHECKOVERFLOW(o2,buf_size,4)) return; + exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Parsing Olympus maker note v2 (0x%02x, %02x, %02x, %02x)...", + buf[o2], buf[o2 + 1], buf[o2 + 2], buf[o2 + 3]); +@@ -346,7 +349,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + + case nikonV2: + o2 += 6; +- if (o2 >= buf_size) return; ++ if (CHECKOVERFLOW(o2,buf_size,12)) return; + exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, " + "%02x, %02x, %02x, %02x, %02x)...", +@@ -406,7 +409,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + } + + /* Sanity check the offset */ +- if ((o2 + 2 < o2) || (o2 + 2 < 2) || (o2 + 2 > buf_size)) { ++ if (CHECKOVERFLOW(o2,buf_size,2)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteOlympus", "Short MakerNote"); + return; +@@ -430,7 +433,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + tcount = 0; + for (i = c, o = o2; i; --i, o += 12) { + size_t s; +- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) { ++ if (CHECKOVERFLOW(o, buf_size, 12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteOlympus", "Short MakerNote"); + break; +@@ -451,6 +454,14 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + n->entries[tcount].components, + (int)exif_format_get_size(n->entries[tcount].format)); */ + ++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection, ++ * we will check the buffer sizes closer later. */ ++ if (exif_format_get_size (n->entries[tcount].format) && ++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components ++ ) { ++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components); ++ continue; ++ } + /* + * Size? If bigger than 4 bytes, the actual data is not + * in the entry but somewhere else (offset). +@@ -469,7 +480,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + * tag in its MakerNote. The offset is actually the absolute + * position in the file instead of the position within the IFD. + */ +- if (dataofs + s > buf_size && n->version == sanyoV1) { ++ if (dataofs > (buf_size - s) && n->version == sanyoV1) { + /* fix pointer */ + dataofs -= datao + 6; + exif_log (en->log, EXIF_LOG_CODE_DEBUG, +@@ -478,8 +489,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + } + #endif + } +- if ((dataofs + s < dataofs) || (dataofs + s < s) || +- (dataofs + s > buf_size)) { ++ if (CHECKOVERFLOW(dataofs, buf_size, s)) { + exif_log (en->log, EXIF_LOG_CODE_DEBUG, + "ExifMnoteOlympus", + "Tag data past end of buffer (%lu > %u)", +diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c +index 680c482..b65e64c 100644 +--- a/libexif/pentax/exif-mnote-data-pentax.c ++++ b/libexif/pentax/exif-mnote-data-pentax.c +@@ -28,6 +28,8 @@ + #include + #include + ++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) ++ + static void + exif_mnote_data_pentax_clear (ExifMnoteDataPentax *n) + { +@@ -224,7 +226,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en, + return; + } + datao = 6 + n->offset; +- if ((datao + 8 < datao) || (datao + 8 < 8) || (datao + 8 > buf_size)) { ++ if (CHECKOVERFLOW(datao, buf_size, 8)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataPentax", "Short MakerNote"); + return; +@@ -277,7 +279,8 @@ exif_mnote_data_pentax_load (ExifMnoteData *en, + tcount = 0; + for (i = c, o = datao; i; --i, o += 12) { + size_t s; +- if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) { ++ ++ if (CHECKOVERFLOW(o,buf_size,12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataPentax", "Short MakerNote"); + break; +@@ -292,6 +295,15 @@ exif_mnote_data_pentax_load (ExifMnoteData *en, + "Loading entry 0x%x ('%s')...", n->entries[tcount].tag, + mnote_pentax_tag_get_name (n->entries[tcount].tag)); + ++ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection, ++ * we will check the buffer sizes closer later. */ ++ if ( exif_format_get_size (n->entries[tcount].format) && ++ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components ++ ) { ++ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteDataPentax", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components); ++ break; ++ } + /* + * Size? If bigger than 4 bytes, the actual data is not + * in the entry but somewhere else (offset). +@@ -304,8 +316,8 @@ exif_mnote_data_pentax_load (ExifMnoteData *en, + if (s > 4) + /* The data in this case is merely a pointer */ + dataofs = exif_get_long (buf + dataofs, n->order) + 6; +- if ((dataofs + s < dataofs) || (dataofs + s < s) || +- (dataofs + s > buf_size)) { ++ ++ if (CHECKOVERFLOW(dataofs, buf_size, s)) { + exif_log (en->log, EXIF_LOG_CODE_DEBUG, + "ExifMnoteDataPentax", "Tag data past end " + "of buffer (%lu > %u)", (unsigned long)(dataofs + s), buf_size); diff -Nru libexif-0.6.21/debian/patches/CVE-2020-13113.patch libexif-0.6.21/debian/patches/CVE-2020-13113.patch --- libexif-0.6.21/debian/patches/CVE-2020-13113.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-13113.patch 2020-06-08 14:55:38.000000000 +0000 @@ -0,0 +1,67 @@ +From ec412aa4583ad71ecabb967d3c77162760169d1f Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 16 May 2020 19:29:21 +0200 +Subject: [PATCH] Ensure the MakerNote data pointers are initialized with NULL. + +This ensures that an uninitialized pointer isn't dereferenced later in +the case where the number of components (and therefore size) is 0. + +This fixes the second issue reported at +https://sourceforge.net/p/libexif/bugs/125/ + +CVE-2020-13113 +--- + libexif/canon/exif-mnote-data-canon.c | 1 + + libexif/fuji/exif-mnote-data-fuji.c | 1 + + libexif/olympus/exif-mnote-data-olympus.c | 1 + + libexif/pentax/exif-mnote-data-pentax.c | 1 + + 4 files changed, 4 insertions(+) + +Index: libexif-0.6.21/libexif/canon/exif-mnote-data-canon.c +=================================================================== +--- libexif-0.6.21.orig/libexif/canon/exif-mnote-data-canon.c ++++ libexif-0.6.21/libexif/canon/exif-mnote-data-canon.c +@@ -236,6 +236,7 @@ exif_mnote_data_canon_load (ExifMnoteDat + for (i = c, o = datao; i; --i, o += 12) { + size_t s; + ++ memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry)); + if (CHECKOVERFLOW(o,buf_size,12)) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteCanon", "Short MakerNote"); +Index: libexif-0.6.21/libexif/fuji/exif-mnote-data-fuji.c +=================================================================== +--- libexif-0.6.21.orig/libexif/fuji/exif-mnote-data-fuji.c ++++ libexif-0.6.21/libexif/fuji/exif-mnote-data-fuji.c +@@ -198,6 +198,7 @@ exif_mnote_data_fuji_load (ExifMnoteData + for (i = c, o = datao; i; --i, o += 12) { + size_t s; + ++ memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry)); + if (CHECKOVERFLOW(o, buf_size, 12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataFuji", "Short MakerNote"); +Index: libexif-0.6.21/libexif/olympus/exif-mnote-data-olympus.c +=================================================================== +--- libexif-0.6.21.orig/libexif/olympus/exif-mnote-data-olympus.c ++++ libexif-0.6.21/libexif/olympus/exif-mnote-data-olympus.c +@@ -433,6 +433,7 @@ exif_mnote_data_olympus_load (ExifMnoteD + tcount = 0; + for (i = c, o = o2; i; --i, o += 12) { + size_t s; ++ memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry)); + if (CHECKOVERFLOW(o, buf_size, 12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteOlympus", "Short MakerNote"); +Index: libexif-0.6.21/libexif/pentax/exif-mnote-data-pentax.c +=================================================================== +--- libexif-0.6.21.orig/libexif/pentax/exif-mnote-data-pentax.c ++++ libexif-0.6.21/libexif/pentax/exif-mnote-data-pentax.c +@@ -280,6 +280,7 @@ exif_mnote_data_pentax_load (ExifMnoteDa + for (i = c, o = datao; i; --i, o += 12) { + size_t s; + ++ memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry)); + if (CHECKOVERFLOW(o,buf_size,12)) { + exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifMnoteDataPentax", "Short MakerNote"); diff -Nru libexif-0.6.21/debian/patches/CVE-2020-13114.patch libexif-0.6.21/debian/patches/CVE-2020-13114.patch --- libexif-0.6.21/debian/patches/CVE-2020-13114.patch 1970-01-01 00:00:00.000000000 +0000 +++ libexif-0.6.21/debian/patches/CVE-2020-13114.patch 2020-06-08 14:55:38.000000000 +0000 @@ -0,0 +1,64 @@ +From e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Sat, 16 May 2020 19:32:30 +0200 +Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote + subtags. + +A malicious file could be crafted to cause extremely large values in some +tags without tripping any buffer range checks. This is bad with the libexif +representation of Canon MakerNotes because some arrays are turned into +individual tags that the application must loop around. + +The largest value I've seen for failsafe_size in a (very small) sample of valid +Canon files is <5000. The limit is set two orders of magnitude larger to avoid +tripping up falsely in case some models use much larger values. + +Patch from Google. + +CVE-2020-13114 +diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c +index 46c9688..6b9e814 100644 +--- a/libexif/canon/exif-mnote-data-canon.c ++++ b/libexif/canon/exif-mnote-data-canon.c +@@ -32,6 +32,9 @@ + + #define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize )) + ++/* Total size limit to prevent abuse by DoS */ ++#define FAILSAFE_SIZE_MAX 1000000L ++ + #define DEBUG + + static void +@@ -204,6 +207,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; + ExifShort c; + size_t i, tcount, o, datao; ++ long failsafe_size = 0; + + if (!n || !buf || !buf_size) { + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, +@@ -295,6 +299,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, + memcpy (n->entries[tcount].data, buf + dataofs, s); + } + ++ /* Track the size of decoded tag data. A malicious file could ++ * be crafted to cause extremely large values here without ++ * tripping any buffer range checks. This is especially bad ++ * with the libexif representation of Canon MakerNotes because ++ * some arrays are turned into individual tags that the ++ * application must loop around. */ ++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); ++ ++ if (failsafe_size > FAILSAFE_SIZE_MAX) { ++ /* Abort if the total size of the data in the tags extraordinarily large, */ ++ exif_mem_free (ne->mem, n->entries[tcount].data); ++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, ++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", ++ failsafe_size, FAILSAFE_SIZE_MAX); ++ break; ++ } ++ + /* Tag was successfully parsed */ + ++tcount; + } diff -Nru libexif-0.6.21/debian/patches/series libexif-0.6.21/debian/patches/series --- libexif-0.6.21/debian/patches/series 2020-05-11 16:50:38.000000000 +0000 +++ libexif-0.6.21/debian/patches/series 2020-06-08 14:55:38.000000000 +0000 @@ -10,3 +10,9 @@ CVE-2019-9278.patch cast-unsigned-int.patch CVE-2020-12767.patch +CVE-2020-0093.patch +CVE-2020-13112.patch +CVE-2020-13113.patch +CVE-2020-13114.patch +CVE-2020-0182.patch +CVE-2020-0198.patch