Hello community,
here is the log from the commit of package jhead for openSUSE:Factory checked in at 2018-10-25 09:11:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jhead (Old)
and /work/SRC/openSUSE:Factory/.jhead.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jhead"
Thu Oct 25 09:11:34 2018 rev:25 rq:644204 version:3.00
Changes:
--------
--- /work/SRC/openSUSE:Factory/jhead/jhead.changes 2018-09-15 15:41:37.252774300 +0200
+++ /work/SRC/openSUSE:Factory/.jhead.new/jhead.changes 2018-10-25 09:11:35.286316887 +0200
@@ -1,0 +2,7 @@
+Wed Oct 24 08:01:56 UTC 2018 - Marketa Calabkova
+
+- Renamed CVE-2018-16554.patch to CVE-2018-17088.patch, because
+ it is in fact fix of boo#1108672
+- Buffer overflow fix (boo#1108480) CVE-2018-16554.patch
+
+-------------------------------------------------------------------
New:
----
CVE-2018-17088.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jhead.spec ++++++
--- /var/tmp/diff_new_pack.xYIEzP/_old 2018-10-25 09:11:35.926316504 +0200
+++ /var/tmp/diff_new_pack.xYIEzP/_new 2018-10-25 09:11:35.926316504 +0200
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -28,8 +28,10 @@
Patch0: CVE-2018-6612.patch
# PATCH-FIX-SECURITY CVE-2016-3822.patch CVE-2016-3822 boo1108480 sbrabec@suse.com -- Integer overflow fix from Debian (31_CVE-2016-3822.patch).
Patch1: CVE-2016-3822.patch
-# PATCH-FIX-SECURITY CVE-2018-16554.patch CVE-2018-16554 boo1108480 sbrabec@suse.com -- Integer overflow fix.
-Patch2: CVE-2018-16554.patch
+# PATCH-FIX-SECURITY CVE-2018-17088.patch CVE-2018-17088 boo1108672 sbrabec@suse.com -- Integer overflow fix.
+Patch2: CVE-2018-17088.patch
+# PATCH-FIX-SECURITY CVE-2018-16554.patch CVE-2018-16554 boo1108480 mcalabkova@suse.com -- Buffer overflow fix.
+Patch3: CVE-2018-16554.patch
Requires: %{_bindir}/jpegtran
Requires: %{_bindir}/mogrify
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -47,6 +49,7 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")"
DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
TIME="\"$(date -d "${modified}" "+%%R")\""
++++++ CVE-2018-16554.patch ++++++
--- /var/tmp/diff_new_pack.xYIEzP/_old 2018-10-25 09:11:35.946316492 +0200
+++ /var/tmp/diff_new_pack.xYIEzP/_new 2018-10-25 09:11:35.946316492 +0200
@@ -1,42 +1,19 @@
-Index: jhead-3.00/gpsinfo.c
-===================================================================
---- jhead-3.00.orig/gpsinfo.c
-+++ jhead-3.00/gpsinfo.c
-@@ -6,6 +6,7 @@
- #include "jhead.h"
+From: Ludovic Rousseau
+Date: Sat Sep 8 16:19:07 CEST 2018
+Subject: fix heap buffer overflow
+
+Bug-Debian: https://bugs.debian.org/908176
+Description: Fix CVE-2018-16554
+
+--- a/gpsinfo.c
++++ b/gpsinfo.c
+@@ -162,7 +162,8 @@
+ break;
- #define MAX_GPS_TAG 0x1e
-+#include
-
-
- #define TAG_GPS_LAT_REF 1
-@@ -101,7 +102,7 @@ void ProcessGpsInfo(unsigned char * DirS
- unsigned OffsetVal;
- OffsetVal = Get32u(DirEntry+8);
- // If its bigger than 4 bytes, the dir entry contains an offset.
-- if (OffsetVal+ByteCount > ExifLength){
-+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
- // Bogus pointer offset and / or bytecount value
- ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
- continue;
-Index: jhead-3.00/makernote.c
-===================================================================
---- jhead-3.00.orig/makernote.c
-+++ jhead-3.00/makernote.c
-@@ -5,6 +5,7 @@
- #include "jhead.h"
-
- extern int MotorolaOrder;
-+#include
-
- //--------------------------------------------------------------------------
- // Process exif format directory, as used by Cannon maker note
-@@ -64,7 +65,7 @@ static void ProcessCanonMakerNoteDir(uns
- unsigned OffsetVal;
- OffsetVal = Get32u(DirEntry+8);
- // If its bigger than 4 bytes, the dir entry contains an offset.
-- if (OffsetVal+ByteCount > ExifLength){
-+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
- // Bogus pointer offset and / or bytecount value
- ErrNonfatal("Illegal value pointer for Exif maker tag %04x", Tag,0);
- continue;
+ case TAG_GPS_ALT:
+- sprintf(ImageInfo.GpsAlt + 1, "%.2fm",
++ snprintf(ImageInfo.GpsAlt + 1, sizeof(ImageInfo.GpsAlt) -1,
++ "%.2fm",
+ ConvertAnyFormat(ValuePtr, Format));
+ break;
+ }
++++++ CVE-2018-17088.patch ++++++
Index: jhead-3.00/gpsinfo.c
===================================================================
--- jhead-3.00.orig/gpsinfo.c
+++ jhead-3.00/gpsinfo.c
@@ -6,6 +6,7 @@
#include "jhead.h"
#define MAX_GPS_TAG 0x1e
+#include
#define TAG_GPS_LAT_REF 1
@@ -101,7 +102,7 @@ void ProcessGpsInfo(unsigned char * DirS
unsigned OffsetVal;
OffsetVal = Get32u(DirEntry+8);
// If its bigger than 4 bytes, the dir entry contains an offset.
- if (OffsetVal+ByteCount > ExifLength){
+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
// Bogus pointer offset and / or bytecount value
ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
continue;
Index: jhead-3.00/makernote.c
===================================================================
--- jhead-3.00.orig/makernote.c
+++ jhead-3.00/makernote.c
@@ -5,6 +5,7 @@
#include "jhead.h"
extern int MotorolaOrder;
+#include
//--------------------------------------------------------------------------
// Process exif format directory, as used by Cannon maker note
@@ -64,7 +65,7 @@ static void ProcessCanonMakerNoteDir(uns
unsigned OffsetVal;
OffsetVal = Get32u(DirEntry+8);
// If its bigger than 4 bytes, the dir entry contains an offset.
- if (OffsetVal+ByteCount > ExifLength){
+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
// Bogus pointer offset and / or bytecount value
ErrNonfatal("Illegal value pointer for Exif maker tag %04x", Tag,0);
continue;