jhead: fix CVE-2018-16554 CVE-2018-17088 CVE-2018-6612

2018-10-03 12:40:21 -03:00 · 2018-10-03 12:40:21 -03:00 · 72e31d63a7
commit 72e31d63a7
parent da5b8933f2
4 changed files with 71 additions and 1 deletions
--- a/srcpkgs/jhead/patches/CVE-2018-16554.patch
+++ b/srcpkgs/jhead/patches/CVE-2018-16554.patch
@ -0,0 +1,20 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat Sep  8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- gpsinfo.c
+++ gpsinfo.c
+@@ -162,7 +162,8 @@
+                 break;
+ 
+             case TAG_GPS_ALT:
+-                sprintf(ImageInfo.GpsAlt + 1, "%.2fm", 
+                snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
+                    "%.2fm",
+                     ConvertAnyFormat(ValuePtr, Format));
+                 break;
+         }
+
--- a/srcpkgs/jhead/patches/CVE-2018-17088.patch
+++ b/srcpkgs/jhead/patches/CVE-2018-17088.patch
@ -0,0 +1,27 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Wed Sep  5 15:32:00 CEST 2018
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/907925
+Description: Fix CVE-2018-17088
+
+--- gpsinfo.c
+++ gpsinfo.c
+@@ -4,6 +4,7 @@
+ // Matthias Wandel,  Dec 1999 - Dec 2002 
+ //--------------------------------------------------------------------------
+ #include "jhead.h"
+#include <stdint.h>
+ 
+ #define MAX_GPS_TAG 0x1e
+ 
+@@ -101,7 +102,7 @@
+             unsigned OffsetVal;
+             OffsetVal = Get32u(DirEntry+8);
+             // If its bigger than 4 bytes, the dir entry contains an offset.
+-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+                 // Bogus pointer offset and / or bytecount value
+                 ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
+                 continue;
+
--- a/srcpkgs/jhead/patches/CVE-2018-6612.patch
+++ b/srcpkgs/jhead/patches/CVE-2018-6612.patch
@ -0,0 +1,23 @@
+From: Ludovic Rousseau <rousseau@debian.org>
+Date: Sat, 3 Feb 2018 10:23:09 +0100
+Subject: Fix heap buffer overflow
+
+Bug-Debian: http://bugs.debian.org/889272
+
+---
+ exif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/exif.c b/exif.c
+index bcde6c8..1dee145 100644
+--- exif.c
+++ exif.c
+@@ -1020,7 +1020,7 @@ void process_EXIF (unsigned char * ExifSection, unsigned int length)
+ 
+     FirstOffset = Get32u(ExifSection+12);
+     if (FirstOffset < 8 || FirstOffset > 16){
+-        if (FirstOffset < 16 || FirstOffset > length-16){
+        if (FirstOffset < 16 || length < 16 || FirstOffset > length-16){
+             ErrNonfatal("invalid offset for first Exif IFD value",0,0);
+             return;
+         }
--- a/srcpkgs/jhead/template
+++ b/srcpkgs/jhead/template
@ -1,7 +1,7 @@
 # Template file for 'jhead'
 pkgname=jhead
 version=3.00
-revision=3
+revision=4
 build_style=gnu-makefile
 short_desc="Display and manipulate EXIF header of JPEG images"
 maintainer="Oliver Kiddle <okiddle@yahoo.co.uk>"