From: Yue Tao <yue....@windriver.com>
[ CQID: WIND00366809 ]
Integer underflow in the exif_entry_get_value function in exif-entry.c
in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote
attackers to execute arbitrary code via vectors involving a crafted
buffer-size parameter during the formatting of an EXIF tag, leading to
a heap-based buffer overflow.
Signed-off-by: Yue Tao <yue....@windriver.com>
Signed-off-by: Robert Yang <liezhi.y...@windriver.com>
Signed-off-by: Mark Hatle <mark.ha...@windriver.com>
---
.../libexif/0003-libexif-CVE-2012-2841.patch | 47 ++++++++++++++++++++++
meta/recipes-support/libexif/libexif_0.6.20.bb | 3 +-
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644
meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
diff --git
a/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
new file mode 100644
index 0000000..2e2c949
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
@@ -0,0 +1,47 @@
+Index: libexif/exif-entry.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v
+retrieving revision 1.148
+retrieving revision 1.149
+diff -c -u -r1.148 -r1.149
+--- a/libexif/exif-entry.c 12 Jul 2012 17:13:03 -0000 1.148
++++ b/libexif/exif-entry.c 12 Jul 2012 17:26:01 -0000 1.149
+@@ -860,14 +860,15 @@ exif_entry_get_value (ExifEntry *e, char
+ */
+ bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
+
++ if (!e || !e->parent || !e->parent->parent || !maxlen)
++ return val;
++
+ /* make sure the returned string is zero terminated */
+ memset (val, 0, maxlen);
+ maxlen--;
+ memset (b, 0, sizeof (b));
+
+ /* We need the byte order */
+- if (!e || !e->parent || !e->parent->parent)
+- return val;
+ o = exif_data_get_byte_order (e->parent->parent);
+
+ /* Sanity check */
+@@ -925,17 +926,16 @@ exif_entry_get_value (ExifEntry *e, char
+
+ /*
+ * If we reach this point, the tag does not
+- * comply with the standard and seems to contain data.
++ * comply with the standard but seems to contain data.
+ * Print as much as possible.
+ */
+ exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
+ _("Tag UserComment does not comply "
+ "with standard but contains data."));
+- for (; (i < e->size) && (strlen (val) < maxlen - 1); i++) {
++ for (j = 0; (i < e->size) && (j < maxlen); i++, j++) {
+ exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
+ _("Byte at position %i: 0x%02x"), i,
e->data[i]);
+- val[strlen (val)] =
+- isprint (e->data[i]) ? e->data[i] : '.';
++ val[j] = isprint (e->data[i]) ? e->data[i] : '.';
+ }
+ break;
+
diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb
b/meta/recipes-support/libexif/libexif_0.6.20.bb
index 45b697d..7d8f8fd 100644
--- a/meta/recipes-support/libexif/libexif_0.6.20.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.20.bb
@@ -8,7 +8,8 @@ PR = "r1"
SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
file://0001-libexif-CVE-2012-2813.patch \
- file://0002-libexif-CVE-2012-2812.patch"
+ file://0002-libexif-CVE-2012-2812.patch \
+ file://0003-libexif-CVE-2012-2841.patch"
SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3"
SRC_URI[sha256sum] =
"a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715"
--
1.8.1.2.545.g2f19ada
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
