Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exiv2: fix security issues #122511

Closed
wants to merge 1 commit into from
Closed

exiv2: fix security issues #122511

wants to merge 1 commit into from

Conversation

mweinelt
Copy link
Member

@mweinelt mweinelt commented May 11, 2021
edited

Motivation for this change

Fixes two out of bounds reads, one input validation issue and one heap
buffer overflow.

Fixes: CVE-2021-3482, CVE-2021-29458, CVE-2021-29457, CVE-2021-29470

https://nvd.nist.gov/vuln/detail/CVE-2021-29458
https://nvd.nist.gov/vuln/detail/CVE-2021-29470
https://nvd.nist.gov/vuln/detail/CVE-2021-3482
https://nvd.nist.gov/vuln/detail/CVE-2021-29457

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@mweinelt
exiv2: fix security issues
81a83e7 
Fixes two out of bounds reads, one input validation issue and one heap
buffer overflow.

Fixes: CVE-2021-3482, CVE-2021-29458, CVE-2021-29457, CVE-2021-29470
@mweinelt
Copy link
Member Author

mweinelt commented May 11, 2021
edited

Tests are failing, so something is wrong. I rebased the last patch on top of v0.27.3 and I'm pretty confident I didn't screw that up.

An alternative could be updating to 0.27.4-rc2 + Exiv2/exiv2#1581.

---- Running python_tests ----

bash -c  . functions.source ; cd ../tests ; if [ ! -z y ]; then verbose=--verbose ;fi ; python3 runner.py
....................................s...........FF....s............ss............s................F....................s...................................................s..........
======================================================================
FAIL: test_run (bugfixes.github.test_issue_1522.issue_1522_exif_asan)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/build/source/tests/system_tests.py", line 653, in test_run
    self.compare_stderr(i, command, processed_stderr, stderr)
  File "/build/source/tests/system_tests.py", line 774, in compare_stderr
    self._compare_output(
  File "/build/source/tests/system_tests.py", line 746, in _compare_output
    self.assertMultiLineEqual(
AssertionError: '/build/source/test/data/poc_1522.jp2: Fai[18 chars]le\n' != 'Warning: Failed to decode Exif metadata.\[67 chars]le\n'
+ Warning: Failed to decode Exif metadata.
- /build/source/test/data/poc_1522.jp2: Failed to open the file
?                                       ^  ----------
+ /build/source/test/data/poc_1522.jp2: No Exif data found in the file
?                                       ^^^^^^^^^ +++++++++
 : Standard error does not match

======================================================================
FAIL: test_run (bugfixes.github.test_issue_1530.CrwEncode0x1810IntegerOverflow)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/build/source/tests/system_tests.py", line 653, in test_run
    self.compare_stderr(i, command, processed_stderr, stderr)
  File "/build/source/tests/system_tests.py", line 774, in compare_stderr
    self._compare_output(
  File "/build/source/tests/system_tests.py", line 746, in _compare_output
    self.assertMultiLineEqual(
AssertionError: '/bui[35 chars]crw: Failed to open the file\n/build/source/te[49 chars]le\n' != '/bui[35 chars]crw: Could not write metadata to file: corrupt[15 chars]ta\n'
+ /build/source/test/data/issue_1530_poc.crw: Could not write metadata to file: corrupted image metadata
- /build/source/test/data/issue_1530_poc.crw: Failed to open the file
- /build/source/test/data/issue_1530_poc.exv: Failed to open the file
 : Standard error does not match

======================================================================
FAIL: test_run (bugfixes.github.test_issue_ghsa_8949_hhfh_j7rj.Jp2ImageEncodeJp2HeaderOutOfBoundsRead)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/build/source/tests/system_tests.py", line 653, in test_run
    self.compare_stderr(i, command, processed_stderr, stderr)
  File "/build/source/tests/system_tests.py", line 774, in compare_stderr
    self._compare_output(
  File "/build/source/tests/system_tests.py", line 746, in _compare_output
    self.assertMultiLineEqual(
AssertionError: '/build/source/test/data/issue_ghsa_8949_h[39 chars]le\n' != 'Error: XMP Toolkit error 201: XML parsing[166 chars]ta\n'
- /build/source/test/data/issue_ghsa_8949_hhfh_j7rj_poc.jp2: Failed to open the file
+ Error: XMP Toolkit error 201: XML parsing failure
+ Warning: Failed to decode XMP metadata.
+ /build/source/test/data/issue_ghsa_8949_hhfh_j7rj_poc.jp2: Could not write metadata to file: corrupted image metadata
 : Standard error does not match

----------------------------------------------------------------------
Ran 182 tests in 4.200s

FAILED (failures=3, skipped=7)

@mweinelt mweinelt added 1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. labels May 11, 2021
ajs124
ajs124 reviewed Jun 3, 2021
View reviewed changes
pkgs/development/libraries/exiv2/CVE-2021-29470_2.patch
new file mode 100644
index 00000000..43699f20
--- /dev/null
+++ b/src/jp2image.cpp.rej
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably shouldn't be here, should it?

@ajs124
Copy link
Member

ajs124 commented Jun 3, 2021
edited

0.27.4 was scheduled to be released 2 weeks ago, not sure what happened to that. RC3 compiles and passes their test suite, for me.

Edit: "Exiv2 v0.27.4 GM is likely to ship on 2021-06-15.
The scheduled GM date was 2021-05-22. The schedule slipped because Security Researchers submitted CVEs during the RC2 review period." apparently happened: https://github.com/Exiv2/exiv2/releases/tag/v0.27.4-RC3

@risicle risicle mentioned this pull request Jun 12, 2021
Closed
8 tasks
@ckauhaus
Copy link
Contributor

https://github.com/Exiv2/exiv2/releases/tag/v0.27.4 is out now.

@mweinelt
Copy link
Member Author

I don't have the capacity to handle this at the moment and would be happy if someone could take this pull request over.

@sikmir
Copy link
Member

sikmir commented Jun 29, 2021

Fixed in #127172.

@ckauhaus
Copy link
Contributor

I think we can safely close this one.

@ckauhaus ckauhaus closed this Jun 30, 2021
@TredwellGit TredwellGit removed the 9.needs: port to stable A PR needs a backport to the stable release. label Aug 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajs124 ajs124 ajs124 left review comments

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mweinelt @ajs124 @ckauhaus @sikmir @TredwellGit