Brian May <b...@debian.org> writes: > Brian May <b...@debian.org> writes: > >> Next month I plan to continue to exiv2 (unless somebody else wants to take >> over >> at this point). It might also be worth spending time and assisting the >> security >> team fix exiv2 (and maybe tiff too) in the other distributions. > > Since I looked at this last month, I have noticed that exiv2 has been > marked as no-DSA in Jessie and Stretch. > > I have a fixed version - based on a patch that was approved and merged > upstream, which I am in the process of testing, however wondered if it > is still worth uploading? > > The patch from upstream master applies to Wheezy without minimal changes > - in particular I had to remove the tests (there doesn't appear to be > any tests in wheezy) and make a small change in the name of the file > patched. > > It seems a bit strange fixing a problem in wheezy, but not Jessie or > Stretch.
Here is the patch for the wheezy version. There is also an AMD64 version available for testing: https://people.debian.org/~bam/debian/pool/main/e/exiv2/ (I can also build an i386 version if required) diff -Nru exiv2-0.23/debian/changelog exiv2-0.23/debian/changelog --- exiv2-0.23/debian/changelog 2017-10-26 01:05:29.000000000 +1100 +++ exiv2-0.23/debian/changelog 2018-02-05 17:33:01.000000000 +1100 @@ -1,3 +1,10 @@ +exiv2 (0.23-1+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS team. + * CVE-2017-17669: Fix out of bounds read in src/pngchunk_int.cpp. + + -- Brian May <b...@debian.org> Mon, 05 Feb 2018 17:33:01 +1100 + exiv2 (0.23-1+deb7u2) wheezy-security; urgency=medium * Non-maintainer upload by the LTS team. diff -Nru exiv2-0.23/debian/patches/CVE-2017-17669.patch exiv2-0.23/debian/patches/CVE-2017-17669.patch --- exiv2-0.23/debian/patches/CVE-2017-17669.patch 1970-01-01 10:00:00.000000000 +1000 +++ exiv2-0.23/debian/patches/CVE-2017-17669.patch 2018-02-05 17:32:50.000000000 +1100 @@ -0,0 +1,39 @@ +From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cer...@cgc-instruments.com> +Date: Mon, 22 Jan 2018 23:56:08 +0100 +Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by + @brianmay + +- consider that key is advanced by 8 bytes if stripHeader is true + => length is reduced by same amount + Fixed by adding offset to the check in the loop +- Rewrote loop so that keysize is checked before the next + iteration (preventing an out of bounds read) +--- + src/pngchunk_int.cpp | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -111,15 +111,17 @@ + { + // From a tEXt, zTXt, or iTXt chunk, + // we get the key, it's a null terminated string at the chunk start +- if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14); +- const byte *key = data.pData_ + (stripHeader ? 8 : 0); ++ const int offset = stripHeader ? 8 : 0; ++ if (data.size_ <= offset) throw Error(14); ++ const byte *key = data.pData_ + offset; + + // Find null string at end of key. + int keysize=0; +- for ( ; key[keysize] != 0 ; keysize++) ++ while (key[keysize] != 0) + { ++ keysize++; + // look if keysize is valid. +- if (keysize >= data.size_) ++ if (keysize+offset >= data.size_) + throw Error(14); + } + diff -Nru exiv2-0.23/debian/patches/series exiv2-0.23/debian/patches/series --- exiv2-0.23/debian/patches/series 2017-10-26 01:05:29.000000000 +1100 +++ exiv2-0.23/debian/patches/series 2018-02-05 17:32:07.000000000 +1100 @@ -4,3 +4,4 @@ CVE-2017-11683.patch some-hardening.patch CVE-2017-14859_14862_14864.patch +CVE-2017-17669.patch -- Brian May <b...@debian.org>
