From 72e31d63a7e6d805f305a176ae29c1f513273022 Mon Sep 17 00:00:00 2001 From: maxice8 Date: Wed, 3 Oct 2018 12:40:21 -0300 Subject: [PATCH] jhead: fix CVE-2018-16554 CVE-2018-17088 CVE-2018-6612 --- srcpkgs/jhead/patches/CVE-2018-16554.patch | 20 ++++++++++++++++ srcpkgs/jhead/patches/CVE-2018-17088.patch | 27 ++++++++++++++++++++++ srcpkgs/jhead/patches/CVE-2018-6612.patch | 23 ++++++++++++++++++ srcpkgs/jhead/template | 2 +- 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/jhead/patches/CVE-2018-16554.patch create mode 100644 srcpkgs/jhead/patches/CVE-2018-17088.patch create mode 100644 srcpkgs/jhead/patches/CVE-2018-6612.patch diff --git a/srcpkgs/jhead/patches/CVE-2018-16554.patch b/srcpkgs/jhead/patches/CVE-2018-16554.patch new file mode 100644 index 00000000000..ba47806e370 --- /dev/null +++ b/srcpkgs/jhead/patches/CVE-2018-16554.patch @@ -0,0 +1,20 @@ +From: Ludovic Rousseau +Date: Sat Sep 8 16:19:07 CEST 2018 +Subject: fix heap buffer overflow + +Bug-Debian: https://bugs.debian.org/908176 +Description: Fix CVE-2018-16554 + +--- gpsinfo.c ++++ gpsinfo.c +@@ -162,7 +162,8 @@ + break; + + case TAG_GPS_ALT: +- sprintf(ImageInfo.GpsAlt + 1, "%.2fm", ++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1, ++ "%.2fm", + ConvertAnyFormat(ValuePtr, Format)); + break; + } + diff --git a/srcpkgs/jhead/patches/CVE-2018-17088.patch b/srcpkgs/jhead/patches/CVE-2018-17088.patch new file mode 100644 index 00000000000..733c7f31bf1 --- /dev/null +++ b/srcpkgs/jhead/patches/CVE-2018-17088.patch @@ -0,0 +1,27 @@ +From: Ludovic Rousseau +Date: Wed Sep 5 15:32:00 CEST 2018 +Subject: Fix heap buffer overflow + +Bug-Debian: http://bugs.debian.org/907925 +Description: Fix CVE-2018-17088 + +--- gpsinfo.c ++++ gpsinfo.c +@@ -4,6 +4,7 @@ + // Matthias Wandel, Dec 1999 - Dec 2002 + //-------------------------------------------------------------------------- + #include "jhead.h" ++#include + + #define MAX_GPS_TAG 0x1e + +@@ -101,7 +102,7 @@ + unsigned OffsetVal; + OffsetVal = Get32u(DirEntry+8); + // If its bigger than 4 bytes, the dir entry contains an offset. +- if (OffsetVal+ByteCount > ExifLength){ ++ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ + // Bogus pointer offset and / or bytecount value + ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0); + continue; + diff --git a/srcpkgs/jhead/patches/CVE-2018-6612.patch b/srcpkgs/jhead/patches/CVE-2018-6612.patch new file mode 100644 index 00000000000..a9c485bc4a9 --- /dev/null +++ b/srcpkgs/jhead/patches/CVE-2018-6612.patch @@ -0,0 +1,23 @@ +From: Ludovic Rousseau +Date: Sat, 3 Feb 2018 10:23:09 +0100 +Subject: Fix heap buffer overflow + +Bug-Debian: http://bugs.debian.org/889272 + +--- + exif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/exif.c b/exif.c +index bcde6c8..1dee145 100644 +--- exif.c ++++ exif.c +@@ -1020,7 +1020,7 @@ void process_EXIF (unsigned char * ExifSection, unsigned int length) + + FirstOffset = Get32u(ExifSection+12); + if (FirstOffset < 8 || FirstOffset > 16){ +- if (FirstOffset < 16 || FirstOffset > length-16){ ++ if (FirstOffset < 16 || length < 16 || FirstOffset > length-16){ + ErrNonfatal("invalid offset for first Exif IFD value",0,0); + return; + } diff --git a/srcpkgs/jhead/template b/srcpkgs/jhead/template index c7d5794bece..398529d9b49 100644 --- a/srcpkgs/jhead/template +++ b/srcpkgs/jhead/template @@ -1,7 +1,7 @@ # Template file for 'jhead' pkgname=jhead version=3.00 -revision=3 +revision=4 build_style=gnu-makefile short_desc="Display and manipulate EXIF header of JPEG images" maintainer="Oliver Kiddle "