-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport security fixes from 0.26 #123
Conversation
(cherry picked from commit d4e7510)
(cherry picked from commit c037d73)
Source: Exiv2#57 (comment) tc can be a null pointer when the TIFF tag is unknown (the factory then returns an auto_ptr(0)) => as this can happen for corrupted files, an explicit check should be used because an assertion can be turned of in release mode (with NDEBUG defined) This also fixes Exiv2#57 (cherry picked from commit 1f1715c)
(cherry picked from commit a2f25c9)
(cherry picked from commit da67c16)
The invalid memory dereference in Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() is caused further up the call-stack, by v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() passing an invalid pData pointer (pData points outside of the Tiff file). pData can be set out of bounds in the (size > 4) branch where baseOffset() and offset are added to pData_ without checking whether the result is still in the file. As offset comes from an untrusted source, an attacker can craft an arbitrarily large offset into the file. This commit adds a check into the problematic branch, whether the result of the addition would be out of bounds of the Tiff file. Furthermore the whole operation is checked for possible overflows. (cherry picked from commit d4e4288)
(cherry picked from commit c2c9fab)
v can be null if the typeId is invalid => throw an exception notifying the user that his file is corrupted instead of the assertion (cherry picked from commit 1841c2a)
Hi, thanks for cherry-picking the commits! I'll take a look at it later today or tomorrow. Have you tried building exiv2 and the reproducers for the vulnerabilities? |
I did try building, but I haven't tried the reproducers (it wasn't entirely obvious to me which reproducers apply where). I'll give this some further try later. |
The reproducers are in located in Ideally the testsuite (run it via |
here's what I did:
none of the data/00* or data/POC* files trigger. there seems to be a missing fix for bug1080. |
(cherry picked from commit 54ac67d)
so I added the fix for that one as well, now the above loop for a copy of the data dir from master is clean. |
Thanks a lot, I'll see what I can do about the test suite.
|
Please also cherry pick the following commits: 73a4cdb, 0f3e646, c90991c, 751312f, fd3711f and 1b01704 You'll get an error on every single one of these for the file |
I'll get to this in the week after next week. |
Thanks for your work! |
Thank you for doing this work. Lots of great team work here. Thank You all very much. |
No description provided.