mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
exiv2: patch CVE-2021-29623
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29623 Pick the patch from the PR mentioned in teh nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,29 @@
|
|||||||
|
From 54ff4ef5f5cc82c276a079a66b307e9a6f70908c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kevin Backhouse <kevinbackhouse@github.com>
|
||||||
|
Date: Tue, 11 May 2021 12:14:33 +0100
|
||||||
|
Subject: [PATCH] Use readOrThrow to check error conditions of iIo.read().
|
||||||
|
|
||||||
|
CVE: CVE-2021-29623
|
||||||
|
Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/82e46b5524fb904e6660dadd2c6d8e5e47375a1a]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
src/webpimage.cpp | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/webpimage.cpp b/src/webpimage.cpp
|
||||||
|
index 6248414..6578937 100644
|
||||||
|
--- a/src/webpimage.cpp
|
||||||
|
+++ b/src/webpimage.cpp
|
||||||
|
@@ -757,9 +757,9 @@ namespace Exiv2 {
|
||||||
|
byte webp[len];
|
||||||
|
byte data[len];
|
||||||
|
byte riff[len];
|
||||||
|
- iIo.read(riff, len);
|
||||||
|
- iIo.read(data, len);
|
||||||
|
- iIo.read(webp, len);
|
||||||
|
+ readOrThrow(iIo, riff, len, Exiv2::kerCorruptedMetadata);
|
||||||
|
+ readOrThrow(iIo, data, len, Exiv2::kerCorruptedMetadata);
|
||||||
|
+ readOrThrow(iIo, webp, len, Exiv2::kerCorruptedMetadata);
|
||||||
|
bool matched_riff = (memcmp(riff, RiffImageId, len) == 0);
|
||||||
|
bool matched_webp = (memcmp(webp, WebPImageId, len) == 0);
|
||||||
|
iIo.seek(-12, BasicIo::cur);
|
||||||
@@ -4,19 +4,21 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
|
|||||||
|
|
||||||
DEPENDS = "zlib expat"
|
DEPENDS = "zlib expat"
|
||||||
|
|
||||||
SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source.tar.gz"
|
SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source.tar.gz \
|
||||||
|
file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
||||||
|
file://CVE-2021-29457.patch \
|
||||||
|
file://CVE-2021-29458.patch \
|
||||||
|
file://CVE-2021-29463.patch \
|
||||||
|
file://CVE-2021-29464.patch \
|
||||||
|
file://CVE-2021-29470.patch \
|
||||||
|
file://CVE-2021-29473.patch \
|
||||||
|
file://CVE-2021-3482.patch \
|
||||||
|
file://CVE-2021-29623.patch \
|
||||||
|
"
|
||||||
SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
|
SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
|
||||||
|
|
||||||
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
|
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
|
||||||
inherit dos2unix
|
inherit dos2unix
|
||||||
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
|
||||||
file://CVE-2021-29457.patch \
|
|
||||||
file://CVE-2021-29458.patch \
|
|
||||||
file://CVE-2021-29463.patch \
|
|
||||||
file://CVE-2021-29464.patch \
|
|
||||||
file://CVE-2021-29470.patch \
|
|
||||||
file://CVE-2021-29473.patch \
|
|
||||||
file://CVE-2021-3482.patch"
|
|
||||||
|
|
||||||
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user