From 2b059e7583812b6e0aeb4eacb39bc25a0cfd94e3 Mon Sep 17 00:00:00 2001 From: "Danilo G. Baio" Date: Sat, 15 Feb 2020 16:28:41 +0000 Subject: MFH: r526071 graphics/libexif: Fix security vulnerabilities - Fix CVE-2019-9278 In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. - Fix a buffer read overflow in exif_entry_get_value - Fix a buffer overread in exif_mnote_data_olympus_load PR: 244060 Reported by: tj@mrsk.me (email) Approved by: former maintainer Security: 00f30cba-4d23-11ea-86ba-641c67a117d8 Approved by: ports-secteam (blanket, backport of security fixes) --- graphics/libexif/files/patch-chromium-8884 | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 graphics/libexif/files/patch-chromium-8884 (limited to 'graphics/libexif/files/patch-chromium-8884') diff --git a/graphics/libexif/files/patch-chromium-8884 b/graphics/libexif/files/patch-chromium-8884 new file mode 100644 index 000000000000..55673b941971 --- /dev/null +++ b/graphics/libexif/files/patch-chromium-8884 @@ -0,0 +1,24 @@ +https://github.com/libexif/libexif/commit/a0c04d9cb6ab0c41a6458def9f892754e84160a0.patch +From a0c04d9cb6ab0c41a6458def9f892754e84160a0 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 15 Jun 2019 18:40:48 +0200 +Subject: [PATCH] fixed a buffer overread (OSS-Fuzz) + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8884 + +--- + libexif/olympus/exif-mnote-data-olympus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git libexif/olympus/exif-mnote-data-olympus.c libexif/olympus/exif-mnote-data-olympus.c +index dac7f5b..669e4ec 100644 +--- libexif/olympus/exif-mnote-data-olympus.c ++++ libexif/olympus/exif-mnote-data-olympus.c +@@ -344,7 +344,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + + case nikonV2: + o2 += 6; +- if (o2 >= buf_size) return; ++ if (o2 + 8 >= buf_size) return; + exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, " + "%02x, %02x, %02x, %02x, %02x)...", -- cgit v1.2.3