diff -Nru exiv2-0.23/debian/changelog exiv2-0.23/debian/changelog --- exiv2-0.23/debian/changelog 2013-12-17 11:57:21.000000000 +0000 +++ exiv2-0.23/debian/changelog 2019-01-08 17:08:06.000000000 +0000 @@ -1,3 +1,61 @@ +exiv2 (0.23-1ubuntu2.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-11591.patch: fix in + src/value.hpp. + - CVE-2017-11591 + * SECURITY UPDATE: Remote denial of service + - debian/patches/CVE-2017-11683.patch: fix in + src/tiffvisitor.cpp. + - CVE-2017-11683 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-14859_14862_14864.patch: fix in + src/error.cpp, src/tiffvisitor.cpp. + - CVE-2017-14859 + - CVE-2017-14862 + - CVE-2017-14864 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-17669.patch: fix in + src/pngchunk.cpp. + - CVE-2017-17669 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-9239.patch: fix in + src/tiffcomposite.cpp. + - CVE-2017-9239 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-17581.patch: fix in + src/crwimage.cpp. + - CVE-2018-17581 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-16336*.patch: fix in + src/pngchunk.cpp. + - CVE-2018-16336 + * Minor fix related to CVE-2018-10958_10999 in src/pngchunk.cpp. + + -- Leonidas S. Barbosa Tue, 08 Jan 2019 13:38:56 -0300 + +exiv2 (0.23-1ubuntu2.1) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service through memory exhaustion + and a heap-based buffer over-read + - debian/patches/CVE-2018-10958_10999*.patch + - CVE-2018-10958 + - CVE-2018-10999 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-10998.patch + - CVE-2018-10998 + * SECURITY UPDATE: Heap-based buffer overflow + - debian/patches/CVE-2018-11531*.patch + - CVE-2018-11531 + * SECURITY UPDATE: Integer overflow + - debian/patches/CVE-2018-12264.patch + - CVE-2018-12264 + * SECURITY UPDATE: Integer overflow + - debian/patches/CVE-2018-12265*.patch + - CVE-2018-12265 + + -- Leonidas S. Barbosa Fri, 29 Jun 2018 10:20:45 -0300 + exiv2 (0.23-1ubuntu2) trusty; urgency=low * Apply libtool patch for powerpc*le-linux support, copied from libtool diff -Nru exiv2-0.23/debian/patches/CVE-2017-11591.patch exiv2-0.23/debian/patches/CVE-2017-11591.patch --- exiv2-0.23/debian/patches/CVE-2017-11591.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2017-11591.patch 2019-01-08 16:32:11.000000000 +0000 @@ -0,0 +1,25 @@ +--- a/src/value.hpp ++++ b/src/value.hpp +@@ -1628,11 +1628,12 @@ namespace Exiv2 { + ok_ = true; + return static_cast(value_[n]); + } ++#define LARGE_INT 1000000 + // Specialization for rational + template<> + inline long ValueType::toLong(long n) const + { +- ok_ = (value_[n].second != 0); ++ ok_ = (value_[n].second != 0 && -LARGE_INT < value_[n].first && value_[n].first < LARGE_INT); + if (!ok_) return 0; + return value_[n].first / value_[n].second; + } +@@ -1640,7 +1641,7 @@ namespace Exiv2 { + template<> + inline long ValueType::toLong(long n) const + { +- ok_ = (value_[n].second != 0); ++ ok_ = (value_[n].second != 0 && value_[n].first < LARGE_INT); + if (!ok_) return 0; + return value_[n].first / value_[n].second; + } diff -Nru exiv2-0.23/debian/patches/CVE-2017-11683.patch exiv2-0.23/debian/patches/CVE-2017-11683.patch --- exiv2-0.23/debian/patches/CVE-2017-11683.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2017-11683.patch 2019-01-08 16:32:21.000000000 +0000 @@ -0,0 +1,42 @@ +From 1f1715c086d8dcdf5165b19164af9aee7aa12e98 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Fri, 6 Oct 2017 00:37:43 +0200 +Subject: [PATCH] =?UTF-8?q?Use=20nullptr=20check=20instead=20of=20assertio?= + =?UTF-8?q?n,=20by=20Rapha=C3=ABl=20Hertzog?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Source: +https://github.com/Exiv2/exiv2/issues/57#issuecomment-333086302 + +tc can be a null pointer when the TIFF tag is unknown (the factory +then returns an auto_ptr(0)) => as this can happen for corrupted +files, an explicit check should be used because an assertion can be +turned of in release mode (with NDEBUG defined) + +This also fixes #57 +--- + src/tiffvisitor.cpp | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/src/tiffvisitor.cpp ++++ b/src/tiffvisitor.cpp +@@ -1290,11 +1290,12 @@ namespace Exiv2 { + } + uint16_t tag = getUShort(p, byteOrder()); + TiffComponent::AutoPtr tc = TiffCreator::create(tag, object->group()); +- // The assertion typically fails if a component is not configured in +- // the TIFF structure table +- assert(tc.get()); +- tc->setStart(p); +- object->addChild(tc); ++ if (tc.get()) { ++ tc->setStart(p); ++ object->addChild(tc); ++ } else { ++ EXV_WARNING << "Unable to handle tag " << tag << ".\n"; ++ } + p += 12; + } + diff -Nru exiv2-0.23/debian/patches/CVE-2017-14859_14862_14864.patch exiv2-0.23/debian/patches/CVE-2017-14859_14862_14864.patch --- exiv2-0.23/debian/patches/CVE-2017-14859_14862_14864.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2017-14859_14862_14864.patch 2019-01-08 16:32:29.000000000 +0000 @@ -0,0 +1,74 @@ +Backported of: + +Description: Fix CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 +Origin: backport, https://github.com/Exiv2/exiv2/pull/110 +Last-Update: 2017-10-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/error.cpp b/src/error.cpp +index 96acce7..913e6c3 100644 +--- a/src/error.cpp ++++ b/src/error.cpp +@@ -106,7 +106,9 @@ namespace { + { 50, N_("Multiple TIFF array element tags %1 in one directory") }, // %1=tag number + { 51, N_("TIFF array element tag %1 has wrong type") }, // %1=tag number + { 52, N_("%1 has invalid XMP value type `%2'") }, // %1=key, %2=value type +- { 58, N_("corrupted image metadata") } ++ { 57, N_("invalid memory allocation request") }, ++ { 58, N_("corrupted image metadata") }, ++ { 59, N_("Arithmetic operation overflow") }, + }; + + } +diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp +index 56229a4..e5c0efa 100644 +--- a/src/tiffvisitor.cpp ++++ b/src/tiffvisitor.cpp +@@ -52,6 +52,7 @@ EXIV2_RCSID("@(#) $Id: tiffvisitor.cpp 2681 2012-03-22 15:19:35Z ahuggel $") + #include + #include + #include ++#include + + // ***************************************************************************** + namespace { +@@ -1492,6 +1493,9 @@ namespace Exiv2 { + return; + } + p += 4; ++ if (count > std::numeric_limits::max() / typeSize) { ++ throw Error(59); ++ } + uint32_t size = typeSize * count; + int32_t offset = getLong(p, byteOrder()); + byte* pData = p; +@@ -1510,7 +1514,18 @@ namespace Exiv2 { + size = 0; + } + if (size > 4) { ++ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, ++ // as offset can be arbitrarily large ++ if ((static_cast(baseOffset()) > std::numeric_limits::max() - static_cast(offset)) ++ || (static_cast(baseOffset() + offset) > std::numeric_limits::max() - reinterpret_cast(pData_))) ++ { ++ throw Error(59); ++ } ++ if (pData_ + static_cast(baseOffset()) + static_cast(offset) > pLast_) { ++ throw Error(58); ++ } + pData = const_cast(pData_) + baseOffset() + offset; ++ // check for size being invalid + if (size > static_cast(pLast_ - pData)) { + #ifndef SUPPRESS_WARNINGS + EXV_ERROR << "Upper boundary of data for " +@@ -1530,7 +1545,9 @@ namespace Exiv2 { + } + } + Value::AutoPtr v = Value::create(typeId); +- assert(v.get()); ++ if (!v.get()) { ++ throw Error(58); ++ } + v->read(pData, size, byteOrder()); + + object->setValue(v); diff -Nru exiv2-0.23/debian/patches/CVE-2017-17669.patch exiv2-0.23/debian/patches/CVE-2017-17669.patch --- exiv2-0.23/debian/patches/CVE-2017-17669.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2017-17669.patch 2019-01-08 16:33:07.000000000 +0000 @@ -0,0 +1,37 @@ +From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 22 Jan 2018 23:56:08 +0100 +Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by + @brianmay + +- consider that key is advanced by 8 bytes if stripHeader is true + => length is reduced by same amount + Fixed by adding offset to the check in the loop +- Rewrote loop so that keysize is checked before the next + iteration (preventing an out of bounds read) +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 7407908..89e35dc 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -112,15 +112,17 @@ namespace Exiv2 { + { + // From a tEXt, zTXt, or iTXt chunk, + // we get the key, it's a null terminated string at the chunk start +- if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14); +- const byte *key = data.pData_ + (stripHeader ? 8 : 0); ++ const int offset = stripHeader ? 8 : 0; ++ if (data.size_ <= offset) throw Error(14); ++ const byte *key = data.pData_ + offset; + + // Find null string at end of key. + int keysize=0; +- for ( ; key[keysize] != 0 ; keysize++) ++ while (key[keysize] != 0) + { ++ keysize++; + // look if keysize is valid. +- if (keysize >= data.size_) ++ if (keysize+offset >= data.size_) + throw Error(14); + } + diff -Nru exiv2-0.23/debian/patches/CVE-2017-9239.patch exiv2-0.23/debian/patches/CVE-2017-9239.patch --- exiv2-0.23/debian/patches/CVE-2017-9239.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2017-9239.patch 2019-01-08 16:33:14.000000000 +0000 @@ -0,0 +1,12 @@ +http://dev.exiv2.org/issues/1296 + +--- a/src/tiffcomposite.cpp ++++ b/src/tiffcomposite.cpp +@@ -1612,6 +1612,7 @@ + uint32_t TiffImageEntry::doWriteImage(IoWrapper& ioWrapper, + ByteOrder /*byteOrder*/) const + { ++ if ( !pValue() ) throw Error(21); // #1296 + uint32_t len = pValue()->sizeDataArea(); + if (len > 0) { + #ifdef DEBUG diff -Nru exiv2-0.23/debian/patches/CVE-2018-10958_10999_1_of_2.patch exiv2-0.23/debian/patches/CVE-2018-10958_10999_1_of_2.patch --- exiv2-0.23/debian/patches/CVE-2018-10958_10999_1_of_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-10958_10999_1_of_2.patch 2018-06-29 13:19:22.000000000 +0000 @@ -0,0 +1,52 @@ +From 2fb00c8a16ce93756cddd70536e361a49369ba88 Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Sat, 19 May 2018 19:39:30 +0200 +Subject: [PATCH] Analyze minimum needed number of null separators in + PngChunk::parseTXTChunk + +This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk. + +According to the specification: +http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html + +There must be 2 null separators when we start to analyze the language tag. + +(cherry picked from commit 2fb00c8a16ce93756cddd70536e361a49369ba88) +[rcs: Backported to jessie] +--- + src/pngchunk.cpp | 5 +++++ + tests/bugfixes/github/test_CVE_2018_10999.py | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- exiv2.git.orig/src/pngchunk.cpp ++++ exiv2.git/src/pngchunk.cpp +@@ -60,6 +60,7 @@ + #include + #include + #include ++#include + + /* + +@@ -166,6 +167,9 @@ + } + else if(type == iTXt_Chunk) + { ++ const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); ++ if (nullSeparators < 2) throw Error(58); ++ + // Extract a deflate compressed or uncompressed UTF-8 text chunk + + // we get the compression flag after the key +--- exiv2.git.orig/src/error.cpp ++++ exiv2.git/src/error.cpp +@@ -105,7 +105,8 @@ + { 49, N_("TIFF directory %1 has too many entries") }, // %1=TIFF directory name + { 50, N_("Multiple TIFF array element tags %1 in one directory") }, // %1=tag number + { 51, N_("TIFF array element tag %1 has wrong type") }, // %1=tag number +- { 52, N_("%1 has invalid XMP value type `%2'") } // %1=key, %2=value type ++ { 52, N_("%1 has invalid XMP value type `%2'") }, // %1=key, %2=value type ++ { 58, N_("corrupted image metadata") } + }; + + } diff -Nru exiv2-0.23/debian/patches/CVE-2018-10958_10999_2_of_2.patch exiv2-0.23/debian/patches/CVE-2018-10958_10999_2_of_2.patch --- exiv2-0.23/debian/patches/CVE-2018-10958_10999_2_of_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-10958_10999_2_of_2.patch 2018-06-29 13:19:28.000000000 +0000 @@ -0,0 +1,59 @@ +From 3ad0050469e6ea63b4081f2a88c264ce8ab55c51 Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Wed, 23 May 2018 10:34:20 +0200 +Subject: [PATCH] Check validity of compressionFlag & compressionMethod + +(cherry picked from commit 3ad0050469e6ea63b4081f2a88c264ce8ab55c51) +[rcs: Backported to jessie] +--- + src/pngchunk.cpp | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- exiv2.git.orig/src/pngchunk.cpp ++++ exiv2.git/src/pngchunk.cpp +@@ -168,14 +168,24 @@ + else if(type == iTXt_Chunk) + { + const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); +- if (nullSeparators < 2) throw Error(58); ++ if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators"); + + // Extract a deflate compressed or uncompressed UTF-8 text chunk + + // we get the compression flag after the key +- const byte* compressionFlag = data.pData_ + keysize + 1; ++ const byte compressionFlag = data.pData_[keysize + 1]; + // we get the compression method after the compression flag +- const byte* compressionMethod = data.pData_ + keysize + 2; ++ const byte compressionMethod = data.pData_[keysize + 2]; ++ ++ if (compressionFlag != 0x00 && compressionFlag != 0x01) ++ { ++ throw Error(58, "iTXt chunk: not valid value in compressionFlag"); ++ } ++ if (compressionMethod != 0x00) ++ { ++ throw Error(58, "iTXt chunk: not valid value in compressionMethod"); ++ } ++ + // language description string after the compression technique spec + std::string languageText((const char*)(data.pData_ + keysize + 3)); + unsigned int languageTextSize = static_cast(languageText.size()); +@@ -183,7 +193,7 @@ + std::string translatedKeyText((const char*)(data.pData_ + keysize + 3 + languageTextSize +1)); + unsigned int translatedKeyTextSize = static_cast(translatedKeyText.size()); + +- if ( compressionFlag[0] == 0x00 ) ++ if ( compressionFlag == 0x00 ) + { + // then it's an uncompressed iTXt chunk + #ifdef DEBUG +@@ -197,7 +207,7 @@ + arr.alloc(textsize); + arr = DataBuf(text, textsize); + } +- else if ( compressionFlag[0] == 0x01 && compressionMethod[0] == 0x00 ) ++ else if ( compressionFlag == 0x01 && compressionMethod == 0x00 ) + { + // then it's a zlib compressed iTXt chunk + #ifdef DEBUG diff -Nru exiv2-0.23/debian/patches/CVE-2018-10958_10999-minor-fix.patch exiv2-0.23/debian/patches/CVE-2018-10958_10999-minor-fix.patch --- exiv2-0.23/debian/patches/CVE-2018-10958_10999-minor-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-10958_10999-minor-fix.patch 2019-01-08 16:38:39.000000000 +0000 @@ -0,0 +1,21 @@ +Backported of: + +From c0a879aea41348481d5b286e34a85f4744a7446a Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Wed, 23 May 2018 11:10:38 +0200 +Subject: [PATCH] Fix call to std::count, so that we count until the end of the + array + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 1f3ef76..2c1640c 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -182,7 +182,7 @@ namespace Exiv2 { + else if(type == iTXt_Chunk) + { + if (data.size_ < Safe::add(keysize, 3)) throw Error(58); +- const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); ++ const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0'); + if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators"); + + // Extract a deflate compressed or uncompressed UTF-8 text chunk diff -Nru exiv2-0.23/debian/patches/CVE-2018-10998.patch exiv2-0.23/debian/patches/CVE-2018-10998.patch --- exiv2-0.23/debian/patches/CVE-2018-10998.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-10998.patch 2018-06-29 13:19:41.000000000 +0000 @@ -0,0 +1,74 @@ +From f4e8ed2fd48d012467b99552f0d6378302a23c75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 11 Jun 2018 16:25:23 +0200 +Subject: [PATCH] Catch all exceptions not caught in exiv2 cli-tool + +It effectively looks the same as before, only now we don't call abort() but +instead clean up everything gracefully. + +(cherry picked from commit f4e8ed2fd48d012467b99552f0d6378302a23c75) +[rcs: Backported to jessie] +--- + src/exiv2.cpp | 48 +++++++++++++++++++++++++++--------------------- + 1 file changed, 27 insertions(+), 21 deletions(-) + +--- exiv2-jessie.git.orig/src/exiv2.cpp ++++ exiv2-jessie.git/src/exiv2.cpp +@@ -151,30 +151,36 @@ + return 0; + } + +- // Create the required action class +- Action::TaskFactory& taskFactory = Action::TaskFactory::instance(); +- Action::Task::AutoPtr task +- = taskFactory.create(Action::TaskType(params.action_)); +- assert(task.get()); +- +- // Process all files + int rc = 0; +- int n = 1; +- int s = static_cast(params.files_.size()); +- int w = s > 9 ? s > 99 ? 3 : 2 : 1; +- for (Params::Files::const_iterator i = params.files_.begin(); +- i != params.files_.end(); ++i) { +- if (params.verbose_) { +- std::cout << _("File") << " " << std::setw(w) << std::right << n++ << "/" << s << ": " +- << *i << std::endl; ++ ++ try { ++ // Create the required action class ++ Action::TaskFactory& taskFactory = Action::TaskFactory::instance(); ++ Action::Task::AutoPtr task = taskFactory.create(Action::TaskType(params.action_)); ++ assert(task.get()); ++ ++ // Process all files ++ int n = 1; ++ int s = static_cast(params.files_.size()); ++ int w = s > 9 ? s > 99 ? 3 : 2 : 1; ++ for (Params::Files::const_iterator i = params.files_.begin(); i != params.files_.end(); ++i) { ++ if (params.verbose_) { ++ std::cout << _("File") << " " << std::setw(w) << std::right << n++ << "/" << s << ": " << *i ++ << std::endl; ++ } ++ int ret = task->run(*i); ++ if (rc == 0) ++ rc = ret; + } +- int ret = task->run(*i); +- if (rc == 0) rc = ret; +- } + +- taskFactory.cleanup(); +- params.cleanup(); +- Exiv2::XmpParser::terminate(); ++ taskFactory.cleanup(); ++ params.cleanup(); ++ Exiv2::XmpParser::terminate(); ++ ++ } catch (const std::exception& exc) { ++ std::cerr << "Uncaught exception: " << exc.what() << std::endl; ++ rc = 1; ++ } + + // Return a positive one byte code for better consistency across platforms + return static_cast(rc) % 256; diff -Nru exiv2-0.23/debian/patches/CVE-2018-11531_1_of_3.patch exiv2-0.23/debian/patches/CVE-2018-11531_1_of_3.patch --- exiv2-0.23/debian/patches/CVE-2018-11531_1_of_3.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-11531_1_of_3.patch 2018-06-29 13:19:51.000000000 +0000 @@ -0,0 +1,22 @@ +From ed874703ad553338f973d537b8159d0eb4375cc4 Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Fri, 25 May 2018 22:03:26 +0200 +Subject: [PATCH] Prevent call to memcpy with size==0 + +(cherry picked from commit ed874703ad553338f973d537b8159d0eb4375cc4) +[rcs: Backported to jessie] +--- + src/preview.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- exiv2-jessie.git.orig/src/preview.cpp ++++ exiv2-jessie.git/src/preview.cpp +@@ -813,7 +813,7 @@ + for (int i = 0; i < sizes.count(); i++) { + uint32_t offset = dataValue.toLong(i); + uint32_t size = sizes.toLong(i); +- if (offset + size <= static_cast(io.size())) ++ if (size!=0 && offset + size <= static_cast(io.size())) + memcpy(pos, base + offset, size); + pos += size; + } diff -Nru exiv2-0.23/debian/patches/CVE-2018-11531_2_of_3.patch exiv2-0.23/debian/patches/CVE-2018-11531_2_of_3.patch --- exiv2-0.23/debian/patches/CVE-2018-11531_2_of_3.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-11531_2_of_3.patch 2018-06-29 13:19:58.000000000 +0000 @@ -0,0 +1,30 @@ +From 863aaebc92ff0b0ee3d302b7b5291002c043bc7b Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Fri, 25 May 2018 22:16:25 +0200 +Subject: [PATCH] Use index to access buf.pData_ + +(cherry picked from commit 863aaebc92ff0b0ee3d302b7b5291002c043bc7b) +[rcs: Backported to jessie] +--- + src/preview.cpp | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- exiv2-jessie.git.orig/src/preview.cpp ++++ exiv2-jessie.git/src/preview.cpp +@@ -809,13 +809,13 @@ + else { + // FIXME: the buffer is probably copied twice, it should be optimized + DataBuf buf(size_); +- Exiv2::byte* pos = buf.pData_; ++ uint32_t idxBuf = 0; + for (int i = 0; i < sizes.count(); i++) { + uint32_t offset = dataValue.toLong(i); + uint32_t size = sizes.toLong(i); + if (size!=0 && offset + size <= static_cast(io.size())) +- memcpy(pos, base + offset, size); +- pos += size; ++ memcpy(&buf.pData_[idxBuf], base + offset, size); ++ idxBuf += size; + } + dataValue.setDataArea(buf.pData_, buf.size_); + } diff -Nru exiv2-0.23/debian/patches/CVE-2018-11531_3_of_3.patch exiv2-0.23/debian/patches/CVE-2018-11531_3_of_3.patch --- exiv2-0.23/debian/patches/CVE-2018-11531_3_of_3.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-11531_3_of_3.patch 2018-06-29 13:20:03.000000000 +0000 @@ -0,0 +1,22 @@ +From 67a5a741153c876a6f1c189abb874721d1725c48 Mon Sep 17 00:00:00 2001 +From: Luis Diaz Mas +Date: Fri, 25 May 2018 22:20:03 +0200 +Subject: [PATCH] Throw when trying to write out of the buffer + +(cherry picked from commit 67a5a741153c876a6f1c189abb874721d1725c48) +[rcs: Backported to jessie] +--- + src/preview.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +--- exiv2-jessie.git.orig/src/preview.cpp ++++ exiv2-jessie.git/src/preview.cpp +@@ -813,6 +813,8 @@ + for (int i = 0; i < sizes.count(); i++) { + uint32_t offset = dataValue.toLong(i); + uint32_t size = sizes.toLong(i); ++ if (idxBuf + size >= size_) ++ throw Error(58); + if (size!=0 && offset + size <= static_cast(io.size())) + memcpy(&buf.pData_[idxBuf], base + offset, size); + idxBuf += size; diff -Nru exiv2-0.23/debian/patches/CVE-2018-12264.patch exiv2-0.23/debian/patches/CVE-2018-12264.patch --- exiv2-0.23/debian/patches/CVE-2018-12264.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-12264.patch 2018-06-29 13:20:32.000000000 +0000 @@ -0,0 +1,40 @@ +From fe70939f54476e99046245ca69ff27012401f759 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 11 Jun 2018 18:37:36 +0200 +Subject: [PATCH] Fix addition overflows in range checks in LoaderTiff::getData + +Several checks for extracted values performed no overflow checks on the +addition. They can be tricked into passing, albeit the individual summands are +too large. +=> use Safe::add() which now aborts when an overflow occurs +This fixes #366 + +(cherry picked from commit fe70939f54476e99046245ca69ff27012401f759) +[rcs: Backported to jessie] +--- + src/preview.cpp | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- exiv2-jessie.git.orig/src/preview.cpp ++++ exiv2-jessie.git/src/preview.cpp +@@ -805,7 +805,7 @@ + // this saves one copying of the buffer + uint32_t offset = dataValue.toLong(0); + uint32_t size = sizes.toLong(0); +- if (offset + size <= static_cast(io.size())) ++ if (Safe::add(offset, size) <= static_cast(io.size())) + dataValue.setDataArea(base + offset, size); + } + else { +@@ -815,9 +815,9 @@ + for (int i = 0; i < sizes.count(); i++) { + uint32_t offset = dataValue.toLong(i); + uint32_t size = sizes.toLong(i); +- if (idxBuf + size >= size_) ++ if (Safe::add(idxBuf, size) >= size_) + throw Error(58); +- if (size!=0 && offset + size <= static_cast(io.size())) ++ if (size!=0 && Safe::add(offset, size) <= static_cast(io.size())) + memcpy(&buf.pData_[idxBuf], base + offset, size); + idxBuf += size; + } diff -Nru exiv2-0.23/debian/patches/CVE-2018-12265.patch exiv2-0.23/debian/patches/CVE-2018-12265.patch --- exiv2-0.23/debian/patches/CVE-2018-12265.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-12265.patch 2018-06-29 13:20:27.000000000 +0000 @@ -0,0 +1,38 @@ +From 937a1a2bd067b8b3b787f3757089d972f3a39853 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 11 Jun 2018 16:04:28 +0200 +Subject: [PATCH] Add offset_ and size_ safely in + LoaderExifJpeg::LoaderExifJpeg + +offset_ can become arbitrarily large and overflows once its added to size_, +this causes all kinds of problems further in the code when offset_ is used +again. +=> Use Safe::add() to catch potential overflows +This fixes #365. + +(cherry picked from commit 937a1a2bd067b8b3b787f3757089d972f3a39853) +[rcs: Backported to jessie] +--- + src/preview.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- exiv2-jessie.git.orig/src/preview.cpp ++++ exiv2-jessie.git/src/preview.cpp +@@ -41,6 +41,7 @@ + + #include "preview.hpp" + #include "futils.hpp" ++#include "safe_op.hpp" + + #include "image.hpp" + #include "cr2image.hpp" +@@ -549,7 +550,8 @@ + } + } + +- if (offset_ + size_ > static_cast(image_.io().size())) return; ++ if (Safe::add(offset_, size_) > static_cast(image_.io().size())) ++ return; + + valid_ = true; + } diff -Nru exiv2-0.23/debian/patches/CVE-2018-12265_prereq.patch exiv2-0.23/debian/patches/CVE-2018-12265_prereq.patch --- exiv2-0.23/debian/patches/CVE-2018-12265_prereq.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-12265_prereq.patch 2018-06-29 13:20:19.000000000 +0000 @@ -0,0 +1,310 @@ +--- /dev/null ++++ exiv2-jessie.git/src/safe_op.hpp +@@ -0,0 +1,307 @@ ++// ********************************************************* -*- C++ -*- ++/* ++ * Copyright (C) 2004-2018 Exiv2 maintainers ++ * ++ * This program is part of the Exiv2 distribution. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA. ++ */ ++/*! ++ @file safe_op.hpp ++ @brief Overflow checks for integers ++ @author Dan Čermák (D4N) ++ dan.cermak@cgc-instruments.com ++ @date 14-Dec-17, D4N: created ++ */ ++ ++#ifndef SAFE_OP_HPP_ ++#define SAFE_OP_HPP_ ++ ++#include ++#include ++ ++#ifdef _MSC_VER ++#include ++#endif ++ ++/*! ++ * @brief Arithmetic operations with overflow checks ++ */ ++namespace Safe ++{ ++ /*! ++ * @brief Helper functions for providing integer overflow checks. ++ * ++ * This namespace contains internal helper functions fallback_$op_overflow ++ * and builtin_$op_overflow (where $op is an arithmetic operation like add, ++ * subtract, etc.). Both provide the following interface: ++ * ++ * bool fallback/builtin_$op_overflow(T first, T second, T& result); ++ * ++ * where T is an integer type. ++ * ++ * Each function performs checks whether first $op second can be safely ++ * performed without overflows. If yes, the result is saved in result and ++ * false is returned. Otherwise true is returned and the contents of result ++ * are unspecified. ++ * ++ * fallback_$op_overflow implements a portable but slower overflow check. ++ * builtin_$op_overflow uses compiler builtins (when available) and should ++ * be faster. As builtins are not available for all types, ++ * builtin_$op_overflow falls back to fallback_$op_overflow when no builtin ++ * is available. ++ */ ++ namespace Internal ++ { ++ /*! ++ * @brief Helper struct to determine whether a type is signed or unsigned ++ * ++ * This struct is a backport of std::is_signed from C++11. It has a public ++ * enum with the property VALUE which is true when the type is signed or ++ * false if it is unsigned. ++ */ ++ template ++ struct is_signed ++ { ++ enum ++ { ++ VALUE = T(-1) < T(0) ++ }; ++ }; ++ ++ /*! ++ * @brief Helper struct for SFINAE, from C++11 ++ ++ * This struct has a public typedef called type typedef'd to T if B is ++ * true. Otherwise there is no typedef. ++ */ ++ template ++ struct enable_if ++ { ++ }; ++ ++ /*! ++ * @brief Specialization of enable_if for the case B == true ++ */ ++ template ++ struct enable_if ++ { ++ typedef T type; ++ }; ++ ++ /*! ++ * @brief Check the addition of two numbers for overflows for signed ++ * integer types larger than int or with the same size as int. ++ * ++ * This function performs a check if summand_1 + summand_2 would ++ * overflow and returns true in that case. If no overflow occurs, ++ * the sum is saved in result and false is returned. ++ * ++ * @return true on overflow, false on no overflow ++ * ++ * @param[in] summand_1, summand_2 The summands with are added ++ * @param[out] result Result of the addition, only populated when no ++ * overflow occurs. ++ * ++ * Further information: ++ * https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow ++ */ ++ template ++ typename enable_if::VALUE && sizeof(T) >= sizeof(int), bool>::type fallback_add_overflow( ++ T summand_1, T summand_2, T& result) ++ { ++ if (((summand_2 >= 0) && (summand_1 > std::numeric_limits::max() - summand_2)) || ++ ((summand_2 < 0) && (summand_1 < std::numeric_limits::min() - summand_2))) { ++ return true; ++ } else { ++ result = summand_1 + summand_2; ++ return false; ++ } ++ } ++ ++ /*! ++ * @brief Check the addition of two numbers for overflows for signed ++ * integer types smaller than int. ++ * ++ * This function adds summand_1 and summand_2 exploiting integer ++ * promotion rules, thereby not causing undefined behavior. The ++ * result is checked against the limits of T and true is returned if ++ * they are exceeded. Otherwise the sum is saved in result and false ++ * is returned. ++ * ++ * @return true on overflow, false on no overflow ++ * ++ * @param[in] summand_1, summand_2 The summands with are added ++ * @param[out] result Result of the addition, only populated when no ++ * overflow occurs. ++ * ++ * Further information: ++ * https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules ++ */ ++ template ++ typename enable_if::VALUE && sizeof(T) < sizeof(int), bool>::type fallback_add_overflow( ++ T summand_1, T summand_2, T& result) ++ { ++ const int res = summand_1 + summand_2; ++ if ((res > std::numeric_limits::max()) || (res < std::numeric_limits::min())) { ++ return true; ++ } else { ++ result = static_cast(res); ++ return false; ++ } ++ } ++ ++ /*! ++ * @brief Check the addition of two numbers for overflows for unsigned ++ * integer types. ++ * ++ * This function adds summand_1 and summand_2 and checks after that if ++ * the operation overflowed. Since these are unsigned integers, no ++ * undefined behavior is invoked. ++ * ++ * @return true on overflow, false on no overflow ++ * ++ * @param[in] summand_1, summand_2 The summands with are added ++ * @param[out] result Result of the addition ++ * ++ * Further information: ++ * https://wiki.sei.cmu.edu/confluence/display/c/INT30-C.+Ensure+that+unsigned+integer+operations+do+not+wrap ++ */ ++ template ++ typename enable_if::VALUE, bool>::type fallback_add_overflow(T summand_1, T summand_2, T& result) ++ { ++ result = summand_1 + summand_2; ++ return result < summand_1; ++ } ++ ++ /*! ++ * @brief Overflow addition check using compiler intrinsics. ++ * ++ * This function behaves exactly like fallback_add_overflow() but it ++ * relies on compiler intrinsics instead. This version should be faster ++ * than the fallback version as it can fully utilize available CPU ++ * instructions & the compiler's diagnostic. ++ * ++ * However, as some compilers don't provide intrinsics for certain ++ * types, the default implementation is the version from fallback. ++ * ++ * This function is fully specialized for each compiler. ++ */ ++ template ++ bool builtin_add_overflow(T summand_1, T summand_2, T& result) ++ { ++ return fallback_add_overflow(summand_1, summand_2, result); ++ } ++ ++#if defined(__GNUC__) || defined(__clang__) ++#if __GNUC__ >= 5 || __clang_major__ >= 3 ++ ++/*! ++ * This macro pastes a specialization of builtin_add_overflow using gcc's & ++ * clang's __builtin_(s/u)add(l)(l)_overlow() ++ * ++ * The add function is implemented by forwarding the parameters to the intrinsic ++ * and returning its value. ++ * ++ * The intrinsics are documented here: ++ * https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html#Integer-Overflow-Builtins ++ */ ++#define SPECIALIZE_builtin_add_overflow(type, builtin_name) \ ++ /* Full specialization of builtin_add_overflow for type using the */ \ ++ /* builtin_name intrinsic */ \ ++ template <> \ ++ inline bool builtin_add_overflow(type summand_1, type summand_2, type & result) \ ++ { \ ++ return builtin_name(summand_1, summand_2, &result); \ ++ } ++ ++ SPECIALIZE_builtin_add_overflow(int, __builtin_sadd_overflow); ++ SPECIALIZE_builtin_add_overflow(long, __builtin_saddl_overflow); ++ SPECIALIZE_builtin_add_overflow(long long, __builtin_saddll_overflow); ++ ++ SPECIALIZE_builtin_add_overflow(unsigned int, __builtin_uadd_overflow); ++ SPECIALIZE_builtin_add_overflow(unsigned long, __builtin_uaddl_overflow); ++ SPECIALIZE_builtin_add_overflow(unsigned long long, __builtin_uaddll_overflow); ++ ++#undef SPECIALIZE_builtin_add_overflow ++#endif // __GNUC__ >= 5 || __clang_major >= 3 ++ ++#elif defined(_MSC_VER) ++// intrinsics are not in available in MSVC 2005 and earlier ++#if _MSC_VER >= 1400 ++ ++/*! ++ * This macro pastes a specialization of builtin_add_overflow using MSVC's ++ * U(Int/Long/LongLong)Add. ++ * ++ * The add function is implemented by forwarding the parameters to the ++ * intrinsic. As MSVC's intrinsics return S_OK on success, this specialization ++ * returns whether the intrinsics return value does not equal S_OK. This ensures ++ * a uniform interface of the add function (false is returned when no overflow ++ * occurs, true on overflow). ++ * ++ * The intrinsics are documented here: ++ * https://msdn.microsoft.com/en-us/library/windows/desktop/ff516460(v=vs.85).aspx ++ */ ++#define SPECIALIZE_builtin_add_overflow_WIN(type, builtin_name) \ ++ template <> \ ++ inline bool builtin_add_overflow(type summand_1, type summand_2, type& result) \ ++ { \ ++ return builtin_name(summand_1, summand_2, &result) != S_OK; \ ++ } ++ ++ SPECIALIZE_builtin_add_overflow_WIN(unsigned int, UIntAdd); ++ SPECIALIZE_builtin_add_overflow_WIN(unsigned long, ULongAdd); ++ SPECIALIZE_builtin_add_overflow_WIN(unsigned long long, ULongLongAdd); ++ ++#undef SPECIALIZE_builtin_add_overflow_WIN ++ ++#endif // _MSC_VER >= 1400 ++#endif // defined(_MSC_VER) ++ ++ } // namespace Internal ++ ++ /*! ++ * @brief Safe addition, throws an exception on overflow. ++ * ++ * This function returns the result of summand_1 and summand_2 only when the ++ * operation would not overflow, otherwise an exception of type ++ * std::overflow_error is thrown. ++ * ++ * @param[in] summand_1, summand_2 summands to be summed up ++ * @return the sum of summand_1 and summand_2 ++ * @throws std::overflow_error if the addition would overflow ++ * ++ * This function utilizes compiler builtins when available and should have a ++ * very small performance hit then. When builtins are unavailable, a more ++ * extensive check is required. ++ * ++ * Builtins are available for the following configurations: ++ * - GCC/Clang for signed and unsigned int, long and long long (not char & short) ++ * - MSVC for unsigned int, long and long long ++ */ ++ template ++ T add(T summand_1, T summand_2) ++ { ++ T res = 0; ++ if (Internal::builtin_add_overflow(summand_1, summand_2, res)) { ++ throw std::overflow_error("Overflow in addition"); ++ } ++ return res; ++ } ++ ++} // namespace Safe ++ ++#endif // SAFE_OP_HPP_ diff -Nru exiv2-0.23/debian/patches/CVE-2018-16336.patch exiv2-0.23/debian/patches/CVE-2018-16336.patch --- exiv2-0.23/debian/patches/CVE-2018-16336.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-16336.patch 2019-01-08 16:33:37.000000000 +0000 @@ -0,0 +1,130 @@ +Backported of: + +From 35b3e596edacd2437c2c5d3dd2b5c9502626163d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Fri, 17 Aug 2018 16:41:05 +0200 +Subject: [PATCH] Add overflow & overread checks to PngChunk::parseTXTChunk() + +This function was creating a lot of new pointers and strings without +properly checking the array bounds. This commit adds several calls +to enforce(), making sure that the pointers stay within bounds. +Strings are now created using the helper function +string_from_unterminated() to prevent overreads in the constructor of +std::string. + +This fixes #400 +Index: exiv2-0.23/src/pngchunk.cpp +=================================================================== +--- exiv2-0.23.orig/src/pngchunk.cpp ++++ exiv2-0.23/src/pngchunk.cpp +@@ -51,6 +51,8 @@ extern "C" { + #include "iptc.hpp" + #include "image.hpp" + #include "error.hpp" ++#include "helper_functions.hpp" ++#include "safe_op.hpp" + + // + standard includes + #include +@@ -138,6 +140,8 @@ namespace Exiv2 { + + if(type == zTXt_Chunk) + { ++ if (data.size_ < Safe::add(keysize, 2)) throw Error(58); ++ + // Extract a deflate compressed Latin-1 text chunk + + // we get the compression method after the key +@@ -154,11 +158,13 @@ namespace Exiv2 { + // compressed string after the compression technique spec + const byte* compressedText = data.pData_ + keysize + 2; + unsigned int compressedTextSize = data.size_ - keysize - 2; ++ if (compressedTextSize >= data.size_) throw Error(58); + + zlibUncompress(compressedText, compressedTextSize, arr); + } + else if(type == tEXt_Chunk) + { ++ if (data.size_ < Safe::add(keysize, 1)) throw Error(58); + // Extract a non-compressed Latin-1 text chunk + + // the text comes after the key, but isn't null terminated +@@ -169,6 +175,7 @@ namespace Exiv2 { + } + else if(type == iTXt_Chunk) + { ++ if (data.size_ < Safe::add(keysize, 3)) throw Error(58); + const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); + if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators"); + +@@ -189,41 +196,43 @@ namespace Exiv2 { + } + + // language description string after the compression technique spec +- std::string languageText((const char*)(data.pData_ + keysize + 3)); +- unsigned int languageTextSize = static_cast(languageText.size()); +- // translated keyword string after the language description +- std::string translatedKeyText((const char*)(data.pData_ + keysize + 3 + languageTextSize +1)); +- unsigned int translatedKeyTextSize = static_cast(translatedKeyText.size()); ++ const size_t languageTextMaxSize = data.size_ - keysize - 3; ++ std::string languageText = ++ string_from_unterminated((const char*)(data.pData_ + Safe::add(keysize, 3)), languageTextMaxSize); ++ const unsigned int languageTextSize = static_cast(languageText.size()); + +- if ( compressionFlag == 0x00 ) +- { +- // then it's an uncompressed iTXt chunk +-#ifdef DEBUG +- std::cout << "Exiv2::PngChunk::parseTXTChunk: We found an uncompressed iTXt field\n"; +-#endif ++ if (data.size_ < Safe::add(static_cast(Safe::add(keysize, 4)), languageTextSize)) throw Error(58); ++ // translated keyword string after the language description ++ std::string translatedKeyText = ++ string_from_unterminated((const char*)(data.pData_ + keysize + 3 + languageTextSize + 1), ++ data.size_ - (keysize + 3 + languageTextSize + 1)); ++ const unsigned int translatedKeyTextSize = static_cast(translatedKeyText.size()); ++ ++ if ((compressionFlag == 0x00) || (compressionFlag == 0x01 && compressionMethod == 0x00)) { ++ if (Safe::add(static_cast(keysize + 3 + languageTextSize + 1), ++ Safe::add(translatedKeyTextSize, 1u)) > data.size_) throw Error(58); + +- // the text comes after the translated keyword, but isn't null terminated + const byte* text = data.pData_ + keysize + 3 + languageTextSize + 1 + translatedKeyTextSize + 1; +- long textsize = data.size_ - (keysize + 3 + languageTextSize + 1 + translatedKeyTextSize + 1); ++ const long textsize = data.size_ - (keysize + 3 + languageTextSize + 1 + translatedKeyTextSize + 1); + +- arr.alloc(textsize); +- arr = DataBuf(text, textsize); +- } +- else if ( compressionFlag == 0x01 && compressionMethod == 0x00 ) +- { +- // then it's a zlib compressed iTXt chunk ++ if (compressionFlag == 0x00) { ++ // then it's an uncompressed iTXt chunk + #ifdef DEBUG +- std::cout << "Exiv2::PngChunk::parseTXTChunk: We found a zlib compressed iTXt field\n"; ++ std::cout << "Exiv2::PngChunk::parseTXTChunk: We found an uncompressed iTXt field\n"; + #endif + +- // the compressed text comes after the translated keyword, but isn't null terminated +- const byte* compressedText = data.pData_ + keysize + 3 + languageTextSize + 1 + translatedKeyTextSize + 1; +- long compressedTextSize = data.size_ - (keysize + 3 + languageTextSize + 1 + translatedKeyTextSize + 1); ++ arr.alloc(textsize); ++ arr = DataBuf(text, textsize); ++ } else if (compressionFlag == 0x01 && compressionMethod == 0x00) { ++ // then it's a zlib compressed iTXt chunk ++#ifdef DEBUG ++ std::cout << "Exiv2::PngChunk::parseTXTChunk: We found a zlib compressed iTXt field\n"; ++#endif + +- zlibUncompress(compressedText, compressedTextSize, arr); +- } +- else +- { ++ // the compressed text comes after the translated keyword, but isn't null terminated ++ zlibUncompress(text, textsize, arr); ++ } ++ } else { + // then it isn't zlib compressed and we are sunk + #ifdef DEBUG + std::cerr << "Exiv2::PngChunk::parseTXTChunk: Non-standard iTXt compression method.\n"; diff -Nru exiv2-0.23/debian/patches/CVE-2018-16336-support-funcs.patch exiv2-0.23/debian/patches/CVE-2018-16336-support-funcs.patch --- exiv2-0.23/debian/patches/CVE-2018-16336-support-funcs.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-16336-support-funcs.patch 2019-01-08 16:33:44.000000000 +0000 @@ -0,0 +1,26 @@ +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 607fdca..1964237 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -51,7 +51,6 @@ extern "C" { + #include "iptc.hpp" + #include "image.hpp" + #include "error.hpp" +-#include "helper_functions.hpp" + #include "safe_op.hpp" + + // + standard includes +@@ -64,6 +63,13 @@ extern "C" { + #include + #include + ++/* Added as support of CVE-2018-16336 */ ++std::string string_from_unterminated(const char* data, size_t data_length) ++{ ++ const size_t StringLength = strnlen(data, data_length); ++ ++ return std::string(data, StringLength); ++} + /* + + URLs to find informations about PNG chunks : diff -Nru exiv2-0.23/debian/patches/CVE-2018-17581.patch exiv2-0.23/debian/patches/CVE-2018-17581.patch --- exiv2-0.23/debian/patches/CVE-2018-17581.patch 1970-01-01 00:00:00.000000000 +0000 +++ exiv2-0.23/debian/patches/CVE-2018-17581.patch 2019-01-08 16:33:29.000000000 +0000 @@ -0,0 +1,30 @@ +From b3d077dcaefb6747fff8204490f33eba5a144edb Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Sat, 13 Oct 2018 11:38:56 +0200 +Subject: [PATCH] Fix #460 by adding more checks in + CiffDirectory::readDirectory +diff --git a/src/crwimage.cpp b/src/crwimage.cpp +index 6cd8832..d1b031e 100644 +--- a/src/crwimage.cpp ++++ b/src/crwimage.cpp +@@ -456,6 +456,8 @@ namespace Exiv2 { + uint32_t size, + ByteOrder byteOrder) + { ++ if (size < 4) ++ throw Error(33); + uint32_t o = getULong(pData + size - 4, byteOrder); + if (o + 2 > size) throw Error(33); + uint16_t count = getUShort(pData + o, byteOrder); +@@ -464,8 +466,10 @@ namespace Exiv2 { + <<", " << count << " entries \n"; + #endif + o += 2; ++ if ( (o + (count * 10)) > size ) ++ throw Error(33); ++ + for (uint16_t i = 0; i < count; ++i) { +- if (o + 10 > size) throw Error(33); + uint16_t tag = getUShort(pData + o, byteOrder); + CiffComponent::AutoPtr m; + switch (CiffComponent::typeId(tag)) { diff -Nru exiv2-0.23/debian/patches/series exiv2-0.23/debian/patches/series --- exiv2-0.23/debian/patches/series 2013-12-17 11:54:38.000000000 +0000 +++ exiv2-0.23/debian/patches/series 2019-01-08 16:38:39.000000000 +0000 @@ -1,3 +1,21 @@ 00_hyphens_used_as_minus.diff config-updates.diff libtool-ppc64el.diff +CVE-2018-10958_10999_1_of_2.patch +CVE-2018-10958_10999_2_of_2.patch +CVE-2018-10998.patch +CVE-2018-11531_1_of_3.patch +CVE-2018-11531_2_of_3.patch +CVE-2018-11531_3_of_3.patch +CVE-2018-12265_prereq.patch +CVE-2018-12265.patch +CVE-2018-12264.patch +CVE-2017-11591.patch +CVE-2017-11683.patch +CVE-2017-14859_14862_14864.patch +CVE-2017-17669.patch +CVE-2017-9239.patch +CVE-2018-17581.patch +CVE-2018-16336.patch +CVE-2018-16336-support-funcs.patch +CVE-2018-10958_10999-minor-fix.patch