Control: tags -1 + pending
Dear exiv2 maintainers,
To guarantee we have the fix as well in the upper suite (as the
exiv2/0.27.3-3+deb11u1 contains those CVE fixes) I have uploaded the
attached "rebuild" to unstable (in DELAYED/2 queue).
Let me know if you are not fine with it, or if we even can speed up
the upload.
Regards,
Salvatore
diff -Nru exiv2-0.27.3/debian/changelog exiv2-0.27.3/debian/changelog
--- exiv2-0.27.3/debian/changelog 2020-08-09 07:15:23.000000000 +0200
+++ exiv2-0.27.3/debian/changelog 2021-10-04 20:56:31.000000000 +0200
@@ -1,3 +1,19 @@
+exiv2 (0.27.3-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Upload changes from 0.27.3-3+deb11u1 to unstable to make sure the version
+ in unstable is higher than the bullseye-security upload and including the
+ needed CVE fixes.
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 04 Oct 2021 20:56:31 +0200
+
+exiv2 (0.27.3-3+deb11u1) bullseye-security; urgency=medium
+
+ * CVE-2021-31291 (Closes: #991705)
+ * CVE-2021-31292 (Closes: #991706)
+
+ -- Moritz Muehlenhoff <j...@debian.org> Fri, 06 Aug 2021 10:57:42 +0200
+
exiv2 (0.27.3-3) unstable; urgency=medium
* Team upload.
diff -Nru exiv2-0.27.3/debian/patches/CVE-2021-31291.patch exiv2-0.27.3/debian/patches/CVE-2021-31291.patch
--- exiv2-0.27.3/debian/patches/CVE-2021-31291.patch 1970-01-01 01:00:00.000000000 +0100
+++ exiv2-0.27.3/debian/patches/CVE-2021-31291.patch 2021-08-06 10:55:50.000000000 +0200
@@ -0,0 +1,20 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pyd...@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+--- exiv2-0.27.3.orig/src/jp2image.cpp
++++ exiv2-0.27.3/src/jp2image.cpp
+@@ -773,9 +773,10 @@ static void boxes_check(size_t b,size_t
+ #endif
+ box.length = (uint32_t) (io_->size() - io_->tell() + 8);
+ }
+- if (box.length == 1)
++ if (box.length < 8)
+ {
+- // FIXME. Special case. the real box size is given in another place.
++ // box is broken, so there is nothing we can do here
++ throw Error(kerCorruptedMetadata);
+ }
+
+ // Read whole box : Box header + Box data (not fixed size - can be null).
diff -Nru exiv2-0.27.3/debian/patches/CVE-2021-31292.patch exiv2-0.27.3/debian/patches/CVE-2021-31292.patch
--- exiv2-0.27.3/debian/patches/CVE-2021-31292.patch 1970-01-01 01:00:00.000000000 +0100
+++ exiv2-0.27.3/debian/patches/CVE-2021-31292.patch 2021-08-06 10:57:26.000000000 +0200
@@ -0,0 +1,20 @@
+From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackho...@github.com>
+Date: Fri, 9 Apr 2021 13:37:48 +0100
+Subject: [PATCH] Fix integer overflow.
+
+--- exiv2-0.27.3.orig/src/crwimage_int.cpp
++++ exiv2-0.27.3/src/crwimage_int.cpp
+@@ -1167,7 +1167,11 @@ namespace Exiv2 {
+ pCrwMapping->crwDir_);
+ if (edX != edEnd || edY != edEnd || edO != edEnd) {
+ uint32_t size = 28;
+- if (cc && cc->size() > size) size = cc->size();
++ if (cc) {
++ if (cc->size() < size)
++ throw Error(kerCorruptedMetadata);
++ size = cc->size();
++ }
+ DataBuf buf(size);
+ std::memset(buf.pData_, 0x0, buf.size_);
+ if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
diff -Nru exiv2-0.27.3/debian/patches/series exiv2-0.27.3/debian/patches/series
--- exiv2-0.27.3/debian/patches/series 2020-08-09 00:46:29.000000000 +0200
+++ exiv2-0.27.3/debian/patches/series 2021-08-06 10:57:16.000000000 +0200
@@ -1,3 +1,5 @@
xmpsdk-integer-typedef-x64.patch
fix-man-page-table-formatting.patch
fcf-protection-only-on-x86.diff
+CVE-2021-31291.patch
+CVE-2021-31292.patch
