libexif+32: #2095

extra-optenv32/libexif+32/autobuild/patches/cve-2016-6328.patch

@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of the input file (CVE-2016-6328)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
++++ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		case EXIF_FORMAT_SHORT:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 2)
++					break;
+ 				vs = exif_get_short (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%i ", vs);
+ 				len = strlen(val);
+ 				data += 2;
++				sizeleft -= 2;
+ 			}
+ 		  }
+ 		  break;
+ 		case EXIF_FORMAT_LONG:
+ 		  {
+ 			const unsigned char *data = entry->data;
+-		  	size_t k, len = strlen(val);
++		  	size_t k, len = strlen(val), sizeleft;
++
++			sizeleft = entry->size;
+ 		  	for(k=0; k<entry->components; k++) {
++				if (sizeleft < 4)
++					break;
+ 				vl = exif_get_long (data, entry->order);
+ 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
+ 				len = strlen(val);
+ 				data += 4;
++				sizeleft -= 4;
+ 			}
+ 		  }
+ 		  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePenta
+ 		break;
+ 	}
+
+-	return (val);
++	return val;
+ }

extra-optenv32/libexif+32/autobuild/patches/cve-2017-7544.patch

@@ -0,0 +1,22 @@
+Description: Fixes an out-of-bounds heap read in the exif_data_save_data_entry function (CVE-2017-7544)
+Author: Marcus Meissner <marcus@jet.franken.de>
+Bug-Debian: http://bugs.debian.org/876466
+Last-Update: 2017-07-04
+
+Index: libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.21.orig/libexif/exif-data.c
++++ libexif-0.6.21/libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+

extra-optenv32/libexif+32/autobuild/patches/cve-2019-9278.patch

@@ -0,0 +1,61 @@
+Description: Avoid 32-bit overflows on offset+size calculations
+Author: Ray Essick <essick@google.com>
+Bug-Debian: https://bugs.debian.org/945948
+Last-Update: 2020-02-08
+
+libexif-0.6.21/libexif/exif-data.c
+===================================================================
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+
+@@ -35,6 +35,7 @@
+ #include <libexif/olympus/exif-mnote-data-olympus.h>
+ #include <libexif/pentax/exif-mnote-data-pentax.h>
+
++#include <inttypes.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -191,9 +192,12 @@
+ 		doff = offset + 8;
+
+ 	/* Sanity checks */
+-	if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
++	int64_t doff64 = doff;
++	int64_t s64 = s;
++	if (doff64 + s64 > (int64_t) size) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-				  "Tag data past end of buffer (%u > %u)", doff+s, size);	
++				  "Tag data past end of buffer (%" PRId64 " > %u)",
++				  doff64+s64, size);
+ 		return 0;
+ 	}
+
+@@ -904,7 +908,7 @@
+ 		  "IFD 0 at %i.", (int) offset);
+
+ 	/* Sanity check the offset, being careful about overflow */
+-	if (offset > ds || offset + 6 + 2 > ds)
++	if (offset > ds || (uint64_t)offset + 6 + 2 > ds)
+ 		return;
+
+ 	/* Parse the actual exif data (usually offset 14 from start) */
+@@ -912,7 +916,7 @@
+
+ 	/* IFD 1 offset */
+ 	n = exif_get_short (d + 6 + offset, data->priv->order);
+-	if (offset + 6 + 2 + 12 * n + 4 > ds)
++	if ((uint64_t)offset + 6 + 2 + 12 * n + 4 > ds)
+ 		return;
+
+ 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
+@@ -921,7 +925,7 @@
+ 			  "IFD 1 at %i.", (int) offset);
+
+ 		/* Sanity check. */
+-		if (offset > ds || offset + 6 > ds) {
++		if (offset > ds || (uint64_t)offset + 6 > ds) {
+ 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifData", "Bogus offset of IFD1.");
+ 		} else {
+

extra-optenv32/libexif+32/autobuild/patches/series

@@ -1,2 +1,5 @@
 pkg_config_header_dir
 extra_colorspace_check
+cve-2016-6328.patch
+cve-2017-7544.patch
+cve-2019-9278.patch

extra-optenv32/libexif+32/spec

@@ -1,4 +1,4 @@
 VER=0.6.21
+REL=5
 SRCTBL="http://downloads.sourceforge.net/libexif/libexif-$VER.tar.bz2"
 CHKSUM="sha256::16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
-REL=1