rpms/exiv2/devel exiv-0.16-CVE-2007-6353.patch, NONE, 1.1 exiv2.spec, 1.15, 1.16

Rex Dieter (rdieter) fedora-extras-commits at redhat.com
Mon Dec 17 16:45:05 UTC 2007 

Author: rdieter

Update of /cvs/pkgs/rpms/exiv2/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15702

Modified Files:
	exiv2.spec 
Added Files:
	exiv-0.16-CVE-2007-6353.patch 
Log Message:
* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.3.pre1
- CVE-2007-6353 (#425921, #425924)


exiv-0.16-CVE-2007-6353.patch:

--- NEW FILE exiv-0.16-CVE-2007-6353.patch ---
--- trunk/src/exif.cpp	2007/09/24 14:30:10	1231
+++ trunk/src/exif.cpp	2007/12/14 17:13:21	1346
@@ -212,11 +212,13 @@
         ExifData::const_iterator sizes;
         ExifKey key("Exif.Thumbnail.StripByteCounts");
         sizes = exifData.findKey(key);
-        if (sizes == exifData.end()) return 2;
+        if (sizes == exifData.end()) return 1;
 
-        long totalSize = 0;
+        uint32_t totalSize = 0;
         for (long i = 0; i < sizes->count(); ++i) {
-            totalSize += sizes->toLong(i);
+            uint32_t size = sizes->toLong(i);
+            if (size > 0xffffffff - totalSize) return 1;
+            totalSize += size;
         }
         DataBuf stripsBuf(totalSize);
 
@@ -225,21 +227,23 @@
         ExifData::iterator stripOffsets;
         key = ExifKey("Exif.Thumbnail.StripOffsets");
         stripOffsets = exifData.findKey(key);
-        if (stripOffsets == exifData.end()) return 2;
-        if (stripOffsets->count() != sizes->count()) return 2;
+        if (stripOffsets == exifData.end()) return 1;
+        if (stripOffsets->count() != sizes->count()) return 1;
 
         std::ostringstream os; // for the strip offsets
-        long currentOffset = 0;
-        long firstOffset = stripOffsets->toLong(0);
-        long lastOffset = 0;
-        long lastSize = 0;
+        uint32_t currentOffset = 0;
+        uint32_t firstOffset = stripOffsets->toLong(0);
+        uint32_t lastOffset = 0;
+        uint32_t lastSize = 0;
         for (long i = 0; i < stripOffsets->count(); ++i) {
-            long offset = stripOffsets->toLong(i);
+            uint32_t offset = stripOffsets->toLong(i);
             lastOffset = offset;
-            long size = sizes->toLong(i);
+            uint32_t size = sizes->toLong(i);
             lastSize = size;
-            if (len < offset + size) return 1;
-
+            if (   size > 0xffffffff - offset
+                || static_cast<uint32_t>(len) < offset + size) {
+                return 2;
+            }
             std::memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);
             os << currentOffset << " ";
             currentOffset += size;
@@ -300,12 +304,15 @@
         ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");
         ExifData::iterator format = exifData.findKey(key);
         if (format == exifData.end()) return 1;
-        long offset = format->toLong();
+        uint32_t offset = format->toLong();
         key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");
         ExifData::const_iterator length = exifData.findKey(key);
         if (length == exifData.end()) return 1;
-        long size = length->toLong();
-        if (len < offset + size) return 2;
+        uint32_t size = length->toLong();
+        if (   size > 0xffffffff - offset
+            || static_cast<uint32_t>(len) < offset + size) {
+            return 2;
+        }
         format->setDataArea(buf + offset, size);
         format->setValue("0");
         if (pIfd1) {
@@ -592,8 +599,14 @@
         if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());
         if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());
         if (pIfd1_)   add(pIfd1_->begin(),   pIfd1_->end(),   byteOrder());
-        // Read the thumbnail (but don't worry whether it was successful or not)
-        readThumbnail();
+        // Finally, read the thumbnail
+        rc = readThumbnail();
+        if (0 < rc) {
+#ifndef SUPPRESS_WARNINGS
+            std::cerr << "Warning: Failed to read thumbnail, rc = "
+                      << rc << "\n";
+#endif
+        }
 
         return 0;
     } // ExifData::load


Index: exiv2.spec
===================================================================
RCS file: /cvs/pkgs/rpms/exiv2/devel/exiv2.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- exiv2.spec	26 Nov 2007 18:13:01 -0000	1.15
+++ exiv2.spec	17 Dec 2007 16:44:26 -0000	1.16
@@ -9,7 +9,7 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:	 exiv2
 Version: 0.16
-Release: 0.2.%{?pre}%{?dist}
+Release: 0.3.%{?pre}%{?dist}
 
 License: GPLv2+
 Group:	 Applications/Multimedia
@@ -25,6 +25,7 @@
 #BuildRequires: doxygen graphviz libxslt
 
 Patch2: exiv2-0.9.1-deps.patch
+Patch3: exiv-0.16-CVE-2007-6353.patch
 
 %if 0%{?libs}
 Requires: %{name}-libs = %{version}-%{release}
@@ -74,6 +75,7 @@
 %setup -q -n %{name}-%{version}%{?pre:-%{pre}}
 
 %patch2 -p1 -b .deps
+%patch3 -p1 -b .CVE-2007-6353
 
 mkdir doc/html
 
@@ -134,6 +136,9 @@
 
 
 %changelog
+* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.3.pre1
+- CVE-2007-6353 (#425921, #425924)
+
 * Mon Nov 26 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.2.pre1
 - -libs subpkg toggle (f8+)

More information about the fedora-extras-commits mailing list