diff --git a/files/security/CVE-2019-13504.patch b/files/security/CVE-2019-13504.patch deleted file mode 100644 --- a/files/security/CVE-2019-13504.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 7ce574687ad14893447f1a6c4471953225c35d75 Mon Sep 17 00:00:00 2001 -From: Jeka Pats -Date: Wed, 3 Jul 2019 14:17:59 +0300 -Subject: [PATCH] Add libFuzzer integration + report bug - -This commit places the basics for libFuzzer integration with one -fuzzer which fuzzes the readMetadata function. The fuzzer is -located at fuzz/read-metadata. - -To add more fuzzers please add them to ./fuzz directory as -described in the README. - -Also a memory corruption bug is found using this fuzzer which -might lead to additional bugs after fix is pushed. ---- - CMakeLists.txt | 9 +++++++++ - README.md | 24 ++++++++++++++++++++++++ - cmake/printSummary.cmake | 1 + - fuzz/CMakeLists.txt | 14 ++++++++++++++ - fuzz/read-metadata.cpp | 24 ++++++++++++++++++++++++ - 5 files changed, 72 insertions(+) - create mode 100644 fuzz/CMakeLists.txt - create mode 100644 fuzz/read-metadata.cpp - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index a9da5ea71..6d9dad751 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -25,6 +25,7 @@ option( EXIV2_BUILD_SAMPLES "Build sample applications" - option( EXIV2_BUILD_PO "Build translations files" OFF ) - option( EXIV2_BUILD_EXIV2_COMMAND "Build exiv2 command-line executable" ON ) - option( EXIV2_BUILD_UNIT_TESTS "Build unit tests" OFF ) -+option( EXIV2_BUILD_FUZZ_TESTS "Build fuzz tests (libFuzzer)" OFF ) - option( EXIV2_BUILD_DOC "Add 'doc' target to generate documentation" OFF ) - - # Only intended to be used by Exiv2 developers/contributors -@@ -82,6 +83,14 @@ if( EXIV2_BUILD_UNIT_TESTS ) - add_subdirectory ( unitTests ) - endif() - -+if( EXIV2_BUILD_FUZZ_TESTS) -+ if ((NOT COMPILER_IS_CLANG) OR (NOT EXIV2_TEAM_USE_SANITIZERS)) -+ message(FATAL_ERROR "You need to build with Clang and sanitizers for the fuzzers to work. " -+ "Use Clang and -DEXIV2_TEAM_USE_SANITIZERS=ON") -+ endif() -+ add_subdirectory ( fuzz ) -+endif() -+ - if( EXIV2_BUILD_SAMPLES ) - ## - # tests -diff --git a/README.md b/README.md -index bf1f3741e..2f37c0d64 100644 ---- a/README.md -+++ b/README.md -@@ -28,6 +28,7 @@ - 1. [Running tests on a UNIX-like system](#4-1) - 2. [Running tests on Visual Studio builds](#4-2) - 3. [Unit tests](#4-3) -+ 4. [Fuzzing](#4-4) - 5. [Platform Notes](#5) - 1. [Linux](#5-1) - 2. [MacOS-X](#5-2) -@@ -663,6 +664,29 @@ $ ctest - - ``` - -+### 4.4 Fuzzing -+ -+The code for the fuzzers is in `exiv2dir/fuzz` -+ -+To build the fuzzers, use the *cmake* option `-DEXIV2_BUILD_FUZZ_TESTS=ON` and `-DEXIV2_TEAM_USE_SANITIZERS=ON`. -+Note that it only works with clang compiler as libFuzzer is integrate with clang > 6.0 -+ -+To build the fuzzers: -+ -+```bash -+export CXX=clang++ -+export CC=clang -+cmake .. -G "Unix Makefiles" "-DEXIV2_BUILD_FUZZ_TESTS=ON" "-DEXIV2_TEAM_USE_SANITIZERS=ON" -+make -j4 -+``` -+ -+To execute the fuzzers: -+ -+```bash -+cd /build -+bin/ # for example ./bin/read-metadata.cpp -+``` -+ - [TOC](#TOC) -
- -diff --git a/cmake/printSummary.cmake b/cmake/printSummary.cmake -index 4da6ccbdc..815a72eab 100644 ---- a/cmake/printSummary.cmake -+++ b/cmake/printSummary.cmake -@@ -59,6 +59,7 @@ OptionOutput( "Building exiv2 command: " EXIV2_BUILD_EXIV2_COMMAND - OptionOutput( "Building samples: " EXIV2_BUILD_SAMPLES ) - OptionOutput( "Building PO files: " EXIV2_BUILD_PO ) - OptionOutput( "Building unit tests: " EXIV2_BUILD_UNIT_TESTS ) -+OptionOutput( "Building fuzz tests: " EXIV2_BUILD_FUZZ_TESTS ) - OptionOutput( "Building doc: " EXIV2_BUILD_DOC ) - OptionOutput( "Building with coverage flags: " BUILD_WITH_COVERAGE ) - OptionOutput( "Using ccache: " BUILD_WITH_CCACHE ) -diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt -new file mode 100644 -index 000000000..281ff570a ---- /dev/null -+++ b/fuzz/CMakeLists.txt -@@ -0,0 +1,14 @@ -+ -+macro(fuzzer name) -+ add_executable(${name} ${name}.cpp) -+ set_target_properties(${name} -+ PROPERTIES -+ COMPILE_FLAGS "-fsanitize=fuzzer" -+ LINK_FLAGS "-fsanitize=fuzzer") -+ target_link_libraries(${name} -+ PRIVATE -+ exiv2lib -+ ) -+endmacro() -+ -+fuzzer(read-metadata) -\ No newline at end of file -diff --git a/fuzz/read-metadata.cpp b/fuzz/read-metadata.cpp -new file mode 100644 -index 000000000..9f0b59791 ---- /dev/null -+++ b/fuzz/read-metadata.cpp -@@ -0,0 +1,24 @@ -+#include -+ -+#include -+#include -+#include -+ -+ -+extern "C" int LLVMFuzzerTestOneInput(const uint8_t * Data, size_t Size) -+try { -+ Exiv2::Image::UniquePtr image = Exiv2::ImageFactory::open(Data, Size); -+ assert(image.get() != 0); -+ image->readMetadata(); -+ -+ Exiv2::ExifData &exifData = image->exifData(); -+ if (exifData.empty()) { -+ return -1; -+ } -+ -+ -+ return 0; -+} -+catch (Exiv2::Error& e) { -+ return -1; -+} diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : exiv2 -version : 0.27.2 -release : 12 +version : 0.27.3 +release : 13 source : - - https://exiv2.org/builds/exiv2-0.27.2-Source.tar.gz : 2652f56b912711327baff6dc0c90960818211cf7ab79bb5e1eb59320b78d153f + - https://github.com/Exiv2/exiv2/archive/v0.27.3.tar.gz : 6398bc743c32b85b2cb2a604273b8c90aa4eb0fd7c1700bf66cbb2712b4f00c1 license : GPL-2.0-or-later component : desktop.library summary : exif and iptc metadata manipulation library and tools @@ -14,7 +14,6 @@ - devel : - curl-devel setup : | - %patch -p1 < $pkgfiles/security/CVE-2019-13504.patch %cmake_ninja \ -DEXIV2_ENABLE_CURL=on \ -DEXIV2_ENABLE_DYNAMIC_RUNTIME=off \ diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,8 +2,8 @@ exiv2 - F. von Gellhorn - flinux@vongellhorn.ch + Jacob Alzén + jacob.alzen@gmail.com GPL-2.0-or-later desktop.library @@ -20,40 +20,23 @@ desktop.library /usr/bin/addmoddel - /usr/bin/convert-test - /usr/bin/easyaccess-test /usr/bin/exifcomment /usr/bin/exifdata - /usr/bin/exifdata-test /usr/bin/exifprint /usr/bin/exifvalue /usr/bin/exiv2 /usr/bin/exiv2json /usr/bin/geotag - /usr/bin/ini-test - /usr/bin/iotest /usr/bin/iptceasy /usr/bin/iptcprint - /usr/bin/iptctest - /usr/bin/key-test - /usr/bin/largeiptc-test /usr/bin/metacopy - /usr/bin/mmap-test /usr/bin/mrwthumb - /usr/bin/path-test - /usr/bin/prevtest - /usr/bin/stringto-test /usr/bin/taglist - /usr/bin/tiff-test - /usr/bin/werror-test - /usr/bin/write-test - /usr/bin/write2-test /usr/bin/xmpdump /usr/bin/xmpparse - /usr/bin/xmpparser-test /usr/bin/xmpprint /usr/bin/xmpsample - /usr/lib64/libexiv2.so.0.27.2 + /usr/lib64/libexiv2.so.0.27.3 /usr/lib64/libexiv2.so.27 /usr/share/locale/bs/LC_MESSAGES/exiv2.mo /usr/share/locale/ca/LC_MESSAGES/exiv2.mo @@ -82,7 +65,7 @@ programming.devel - exiv2 + exiv2 /usr/include/exiv2/asfvideo.hpp @@ -144,12 +127,12 @@ - - 2019-11-05 - 0.27.2 + + 2020-08-09 + 0.27.3 Packaging update - F. von Gellhorn - flinux@vongellhorn.ch + Jacob Alzén + jacob.alzen@gmail.com \ No newline at end of file