Backport security fixes from 0.26

[dirkmueller]

No description provided.

[D4N]

Hi, thanks for cherry-picking the commits! I'll take a look at it later today or tomorrow.

Have you tried building exiv2 and the reproducers for the vulnerabilities?

[dirkmueller]

I did try building, but I haven't tried the reproducers (it wasn't entirely obvious to me which reproducers apply where). I'll give this some further try later.

[D4N]

The reproducers are in located in test/data/ and should have been added by #120 to the 0.26 branch. They are called 00* and POC*.

Ideally the testsuite (run it via make test in the test directory) should be clean, but that involves updating a huge binary file which I have failed to yet. However, if exiv2 does not crash with ASAN enabled, it should be fine.

[dirkmueller]

here's what I did:

cmake .. -DCMAKE_CXX_FLAGS="-O2 -fsanitize=address"
for i in /tmp/data/*; do bin/exiv2 $i 2>&1 | grep -a -i asan && echo $i; done
/tmp/data/exiv2-bug1080.jpg

none of the data/00* or data/POC* files trigger. there seems to be a missing fix for bug1080.

[dirkmueller]

so I added the fix for that one as well, now the above loop for a copy of the data dir from master is clean.

[D4N]

Thanks a lot, I'll see what I can do about the test suite.

[D4N]

Please also cherry pick the following commits: 73a4cdb, 0f3e646, c90991c, 751312f, fd3711f and 1b01704

You'll get an error on every single one of these for the file test/data/bugfixes-test.out. Don't bother with merging it, just take the version from 0.25 (and not from the commits you cherry pick). I'll then send you an updated version, so that the testsuite runs without issues.

[dirkmueller]

I'll get to this in the week after next week.

[D4N]

Thanks for your work!

[clanmills]

Thank you for doing this work. Lots of great team work here. Thank You all very much.