[Pkg-phototools-devel] Bug#1018814: exif: update for null ptr fixes

Aron Xu aron at debian.org
Wed Aug 31 08:46:32 BST 2022 

Package: exif
Severity: wishlist

I have prepared an update for exif package to address two null pointer issues,
changes have been submitted as an MR on salsa, also see the debdiff in
attachement.

Regards,
Aron Xu
-------------- next part --------------
diff -Nru exif-0.6.22/debian/changelog exif-0.6.22/debian/changelog
--- exif-0.6.22/debian/changelog	2020-07-09 10:58:17.000000000 +0000
+++ exif-0.6.22/debian/changelog	2022-08-31 07:35:27.000000000 +0000
@@ -1,3 +1,11 @@
+exif (0.6.22-3) unstable; urgency=medium
+
+  * Add patch for NULL Pointer Deference when printing out XML formatted
+    EXIF data (CVE-2021-27815)
+  * Add patch for NullPointer in strncpy() in Action.c
+
+ -- Aron Xu <aron at debian.org>  Wed, 31 Aug 2022 07:35:27 +0000
+
 exif (0.6.22-2) unstable; urgency=medium
 
   * Add upstream patch to fix test failures on big endian systems
diff -Nru exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch
--- exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch	1970-01-01 00:00:00.000000000 +0000
+++ exif-0.6.22/debian/patches/0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch	2022-08-31 07:26:54.000000000 +0000
@@ -0,0 +1,27 @@
+From f6334d9d32437ef13dc902f0a88a2be0063d9d1c Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus at jet.franken.de>
+Date: Thu, 25 Feb 2021 08:31:53 +0100
+Subject: [PATCH 01/25] added empty strign check, which would lead to NULL ptr
+ deref/crash in exif XML display. fixes
+ https://github.com/libexif/exif/issues/4
+
+---
+ exif/actions.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/exif/actions.c b/exif/actions.c
+index ed245df..123c064 100644
+--- a/exif/actions.c
++++ b/exif/actions.c
+@@ -661,6 +661,8 @@ escape_xml(const char *text)
+ 	char *out;
+ 	size_t len;
+ 
++	if (!strlen(text)) return "empty string";
++
+ 	for (out=escaped, len=0; *text; ++len, ++out, ++text) {
+ 		/* Make sure there's plenty of room for a quoted character */
+ 		if ((len + 8) > escaped_size) {
+-- 
+2.30.2
+
diff -Nru exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch
--- exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch	1970-01-01 00:00:00.000000000 +0000
+++ exif-0.6.22/debian/patches/0002-actually-return-empty-stringand-not-em-pty-string-as.patch	2022-08-31 07:27:02.000000000 +0000
@@ -0,0 +1,26 @@
+From eb84b0e3c5f2a86013b6fcfb800d187896a648fa Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus at jet.franken.de>
+Date: Thu, 25 Feb 2021 09:45:36 +0100
+Subject: [PATCH 02/25] actually return empty stringand not 'em,pty string' as
+ expected
+
+---
+ exif/actions.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/exif/actions.c b/exif/actions.c
+index 123c064..4fade01 100644
+--- a/exif/actions.c
++++ b/exif/actions.c
+@@ -661,7 +661,7 @@ escape_xml(const char *text)
+ 	char *out;
+ 	size_t len;
+ 
+-	if (!strlen(text)) return "empty string";
++	if (!strlen(text)) return "";
+ 
+ 	for (out=escaped, len=0; *text; ++len, ++out, ++text) {
+ 		/* Make sure there's plenty of room for a quoted character */
+-- 
+2.30.2
+
diff -Nru exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch
--- exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch	1970-01-01 00:00:00.000000000 +0000
+++ exif-0.6.22/debian/patches/0003-avoid-NULL-ptr-crash.patch	2022-08-31 07:28:52.000000000 +0000
@@ -0,0 +1,31 @@
+From a702ad911f7c9824979a6534d87dfb1ec9928533 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus at jet.franken.de>
+Date: Wed, 18 Aug 2021 14:53:24 +0200
+Subject: [PATCH 20/25] avoid NULL ptr crash fixes
+ https://github.com/libexif/exif/issues/5
+
+---
+ exif/actions.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/exif/actions.c b/exif/actions.c
+index 4fade01..d7ab870 100644
+--- a/exif/actions.c
++++ b/exif/actions.c
+@@ -715,7 +715,12 @@ show_entry_xml (ExifEntry *e, void *data)
+ 		fprintf (stdout, "%s", escape_xml(exif_entry_get_value (e, v, sizeof (v))));
+ 		fprintf (stdout, "</x%04x>", e->tag);
+ 	} else {
+-		strncpy (t, exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)), sizeof (t));
++		const char *title = exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e));
++		if (!title) {
++			/* might just be an unknown tag */
++			return;
++		}
++		strncpy (t, title, sizeof (t));
+ 		t[sizeof(t)-1] = 0;
+ 
+ 		/* Remove invalid characters from tag eg. (, ), space */
+-- 
+2.30.2
+
diff -Nru exif-0.6.22/debian/patches/series exif-0.6.22/debian/patches/series
--- exif-0.6.22/debian/patches/series	2020-07-09 10:58:17.000000000 +0000
+++ exif-0.6.22/debian/patches/series	2022-08-31 07:34:04.000000000 +0000
@@ -1 +1,4 @@
 unsigned-types.patch
+0001-added-empty-strign-check-which-would-lead-to-NULL-pt.patch
+0002-actually-return-empty-stringand-not-em-pty-string-as.patch
+0003-avoid-NULL-ptr-crash.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-phototools-devel/attachments/20220831/b3d47912/attachment.sig>

More information about the Pkg-phototools-devel mailing list