Package: exiv2 / 0.25-3.1+deb9u1

Metadata

Package Version Patches format
exiv2 0.25-3.1+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
libtool_update.diff | (download)

config/aclocal.m4 | 12 9 + 3 - 0 !
configure | 12 9 + 3 - 0 !
2 files changed, 18 insertions(+), 6 deletions(-)

---
upstream fix casio crash | (download)

src/makernote.cpp | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

---
CVE 2017 9239.patch | (download)

src/tiffcomposite.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] #1296 fix submitted.


CVE 2018 10958_10999_1_of_2.patch | (download)

src/error.cpp | 3 2 + 1 - 0 !
src/pngchunk.cpp | 4 4 + 0 - 0 !
2 files changed, 6 insertions(+), 1 deletion(-)

 [patch] analyze minimum needed number of null separators in
 PngChunk::parseTXTChunk

This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk.

According to the specification:
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html

There must be 2 null separators when we start to analyze the language tag.

(cherry picked from commit 2fb00c8a16ce93756cddd70536e361a49369ba88)
[rcs: Backported to stretch]

CVE 2018 10958_10999_2_of_2.patch | (download)

src/pngchunk.cpp | 20 15 + 5 - 0 !
1 file changed, 15 insertions(+), 5 deletions(-)

 [patch] check validity of compressionflag & compressionmethod

(cherry picked from commit 3ad0050469e6ea63b4081f2a88c264ce8ab55c51)
[rcs: Backported to stretch]

CVE 2018 10998.patch | (download)

src/exiv2.cpp | 48 27 + 21 - 0 !
1 file changed, 27 insertions(+), 21 deletions(-)

 [patch] catch all exceptions not caught in exiv2 cli-tool

It effectively looks the same as before, only now we don't call abort() but
instead clean up everything gracefully.

(cherry picked from commit f4e8ed2fd48d012467b99552f0d6378302a23c75)
[rcs: Backported to stretch]

CVE 2018 11531_1_of_3.patch | (download)

src/preview.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] prevent call to memcpy with size==0

(cherry picked from commit ed874703ad553338f973d537b8159d0eb4375cc4)
[rcs: Backported to stretch]

CVE 2018 11531_2_of_3.patch | (download)

src/preview.cpp | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] use index to access buf.pdata_

(cherry picked from commit 863aaebc92ff0b0ee3d302b7b5291002c043bc7b)
[rcs: Backported to stretch]

CVE 2018 11531_3_of_3.patch | (download)

src/preview.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] throw when trying to write out of the buffer

(cherry picked from commit 67a5a741153c876a6f1c189abb874721d1725c48)
[rcs: Backported to stretch]

CVE 2018 12265_prereq.patch | (download)

src/safe_op.hpp | 307 307 + 0 - 0 !
1 file changed, 307 insertions(+)

---
CVE 2018 12265.patch | (download)

src/preview.cpp | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] add offset_ and size_ safely in
 LoaderExifJpeg::LoaderExifJpeg

offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes #365.

(cherry picked from commit 937a1a2bd067b8b3b787f3757089d972f3a39853)
[rcs: Backported to stretch]

CVE 2018 12264.patch | (download)

src/preview.cpp | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] fix addition overflows in range checks in loadertiff::getdata

Several checks for extracted values performed no overflow checks on the
addition. They can be tricked into passing, albeit the individual summands are
too large.
=> use Safe::add() which now aborts when an overflow occurs
This fixes #366

(cherry picked from commit fe70939f54476e99046245ca69ff27012401f759)
[rcs: Backported to stretch]