From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.2 Received: from inbox.vuxu.org (localhost [IPv6:::1]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 9d4d03b3 for ; Mon, 11 Nov 2019 01:44:36 +0000 (UTC) Content-Type: multipart/mixed; boundary="===============2435049236301312612==" MIME-Version: 1.0 Subject: [PR PATCH] libexif: fix CVE-2018-20030. To: ml@inbox.vuxu.org From: voidlinux-github@inbox.vuxu.org Reply-to: ml@inbox.vuxu.org Message-ID: Date: Mon, 11 Nov 2019 02:44:36 +0100 GitHub notification mails are now in MIME to allow UTF8. --===============2435049236301312612== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlcmUgaXMgYSBuZXcgcHVsbCByZXF1ZXN0IGJ5IHRyYXZhbmtvciBhZ2FpbnN0IG1hc3RlciBv biB0aGUgdm9pZC1wYWNrYWdlcyByZXBvc2l0b3J5CgpodHRwczovL2dpdGh1Yi5jb20vdHJhdmFu a29yL3ZvaWQtcGFja2FnZXMgbGliZXhpZgpodHRwczovL2dpdGh1Yi5jb20vdm9pZC1saW51eC92 b2lkLXBhY2thZ2VzL3B1bGwvMTYzNDUKCmxpYmV4aWY6IGZpeCBDVkUtMjAxOC0yMDAzMC4KTm9u ZQoKQSBwYXRjaCBmaWxlIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL3ZvaWQtbGludXgvdm9pZC1w YWNrYWdlcy9wdWxsLzE2MzQ1LnBhdGNoIGlzIGF0dGFjaGVk --===============2435049236301312612== Content-Type: text/x-diff MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="github-pr-libexif-16345.patch" RnJvbSA3MTgyMGQzMTE1MWI2OTc1OTg2NDVjN2RlODk5MTA3NDU3OGFkMzU3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiB0cmF2YW5rb3IgPHRyYXZhbmtvckB0dXRhLmlvPgpEYXRlOiBT dW4sIDEwIE5vdiAyMDE5IDE4OjQzOjIyIC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gbGliZXhpZjog Zml4IENWRS0yMDE4LTIwMDMwLgoKLS0tCiBzcmNwa2dzL2xpYmV4aWYvcGF0Y2hlcy9DVkUtMjAx OC0yMDAzMC5wYXRjaCB8IDExNSArKysrKysrKysrKysrKysrKysrCiBzcmNwa2dzL2xpYmV4aWYv dGVtcGxhdGUgICAgICAgICAgICAgICAgICAgICB8ICAgMiArLQogMiBmaWxlcyBjaGFuZ2VkLCAx MTYgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQogY3JlYXRlIG1vZGUgMTAwNjQ0IHNyY3Br Z3MvbGliZXhpZi9wYXRjaGVzL0NWRS0yMDE4LTIwMDMwLnBhdGNoCgpkaWZmIC0tZ2l0IGEvc3Jj cGtncy9saWJleGlmL3BhdGNoZXMvQ1ZFLTIwMTgtMjAwMzAucGF0Y2ggYi9zcmNwa2dzL2xpYmV4 aWYvcGF0Y2hlcy9DVkUtMjAxOC0yMDAzMC5wYXRjaApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRl eCAwMDAwMDAwMDAwMC4uNThhZmU2OWI0ZTgKLS0tIC9kZXYvbnVsbAorKysgYi9zcmNwa2dzL2xp YmV4aWYvcGF0Y2hlcy9DVkUtMjAxOC0yMDAzMC5wYXRjaApAQCAtMCwwICsxLDExNSBAQAorRnJv bSA2YWExMWRmNTQ5MTE0ZWJkYTUyMGRkZTRjZGFlYTJmOTM1N2IyYzg5IE1vbiBTZXAgMTcgMDA6 MDA6MDAgMjAwMQorRnJvbTogRGFuIEZhbmRyaWNoIDxkYW5AY29uZWhhcnZlc3RlcnMuY29tPgor RGF0ZTogRnJpLCAxMiBPY3QgMjAxOCAxNjowMTo0NSArMDIwMAorU3ViamVjdDogW1BBVENIXSBJ bXByb3ZlIGRlZXAgcmVjdXJzaW9uIGRldGVjdGlvbiBpbgorIGV4aWZfZGF0YV9sb2FkX2RhdGFf Y29udGVudC4KKworVGhlIGV4aXN0aW5nIGRldGVjdGlvbiB3YXMgc3RpbGwgdnVsbmVyYWJsZSB0 byBwYXRob2xvZ2ljYWwgY2FzZXMKK2NhdXNpbmcgRG9TIGJ5IHdhc3RpbmcgQ1BVLiBUaGUgbmV3 IGFsZ29yaXRobSB0YWtlcyB0aGUgbnVtYmVyIG9mIHRhZ3MKK2ludG8gYWNjb3VudCB0byBtYWtl IGl0IGhhcmRlciB0byBhYnVzZSBieSBjYXNlcyB1c2luZyBzaGFsbG93IHJlY3Vyc2lvbgorYnV0 IHdpdGggYSB2ZXJ5IGxhcmdlIG51bWJlciBvZiB0YWdzLiAgVGhpcyBpbXByb3ZlcyBvbiBjb21t aXQgNWQyODAxMWMKK3doaWNoIHdhc24ndCBzdWZmaWNpZW50IHRvIGNvdW50ZXIgdGhpcyBraW5k IG9mIGNhc2UuCisKK1RoZSBsaW1pdGF0aW9uIGluIHRoZSBwcmV2aW91cyBmaXggd2FzIGRpc2Nv dmVyZWQgYnkgTGF1cmVudCBEZWxvc2llcmVzLAorU2VjdW5pYSBSZXNlYXJjaCBhdCBGbGV4ZXJh IChTZWN1bmlhIEFkdmlzb3J5IFNBODQ2NTIpIGFuZCBpcyBhc3NpZ25lZAordGhlIGlkZW50aWZp ZXIgQ1ZFLTIwMTgtMjAwMzAuCistLS0KKyBORVdTICAgICAgICAgICAgICAgIHwgIDEgKworIGxp YmV4aWYvZXhpZi1kYXRhLmMgfCA0NSArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrLS0tLS0tLS0KKyAyIGZpbGVzIGNoYW5nZWQsIDM4IGluc2VydGlvbnMoKyksIDggZGVsZXRp b25zKC0pCisKK2RpZmYgLS1naXQgYS9saWJleGlmL2V4aWYtZGF0YS5jIGIvbGliZXhpZi9leGlm LWRhdGEuYworaW5kZXggZTM1NDAzZC4uYTZmOWM5NCAxMDA2NDQKKy0tLSBhL2xpYmV4aWYvZXhp Zi1kYXRhLmMKKysrKyBiL2xpYmV4aWYvZXhpZi1kYXRhLmMKK0BAIC0zNSw2ICszNSw3IEBACisg I2luY2x1ZGUgPGxpYmV4aWYvb2x5bXB1cy9leGlmLW1ub3RlLWRhdGEtb2x5bXB1cy5oPgorICNp bmNsdWRlIDxsaWJleGlmL3BlbnRheC9leGlmLW1ub3RlLWRhdGEtcGVudGF4Lmg+CisgCisrI2lu Y2x1ZGUgPG1hdGguaD4KKyAjaW5jbHVkZSA8c3RkbGliLmg+CisgI2luY2x1ZGUgPHN0ZGlvLmg+ CisgI2luY2x1ZGUgPHN0cmluZy5oPgorQEAgLTM1MCw2ICszNTEsMjAgQEAgaWYgKGRhdGEtPmlm ZFsoaSldLT5jb3VudCkgewkJCQlcCisgCWJyZWFrOwkJCQkJCVwKKyB9CisgCisrLyohIENhbGN1 bGF0ZSB0aGUgcmVjdXJzaW9uIGNvc3QgYWRkZWQgYnkgb25lIGxldmVsIG9mIElGRCBsb2FkaW5n LgorKyAqCisrICogVGhlIHdvcmsgcGVyZm9ybWVkIGlzIHJlbGF0ZWQgdG8gdGhlIGNvc3QgaW4g dGhlIGV4cG9uZW50aWFsIHJlbGF0aW9uCisrICogICB3b3JrPTEuMSoqY29zdAorKyAqLworK3N0 YXRpYyB1bnNpZ25lZCBpbnQKKytsZXZlbF9jb3N0KHVuc2lnbmVkIGludCBuKQorK3sKKysgICAg c3RhdGljIGNvbnN0IGRvdWJsZSBsb2dfMV8xID0gMC4wOTUzMTAxNzk4MDQzMjQ5MzsKKysKKysJ LyogQWRkaW5nIDAuMSBwcm90ZWN0cyBhZ2FpbnN0IHRoZSBjYXNlIHdoZXJlIG49PTEgKi8KKysJ cmV0dXJuIGNlaWwobG9nKG4gKyAwLjEpL2xvZ18xXzEpOworK30KKysKKyAvKiEgTG9hZCBkYXRh IGZvciBhbiBJRkQuCisgICoKKyAgKiBccGFyYW1baW4sb3V0XSBkYXRhICNFeGlmRGF0YQorQEAg LTM1NywxMyArMzcyLDEzIEBAIGlmIChkYXRhLT5pZmRbKGkpXS0+Y291bnQpIHsJCQkJXAorICAq IFxwYXJhbVtpbl0gZCBwb2ludGVyIHRvIGJ1ZmZlciBjb250YWluaW5nIHJhdyBJRkQgZGF0YQor ICAqIFxwYXJhbVtpbl0gZHMgc2l6ZSBvZiByYXcgZGF0YSBpbiBidWZmZXIgYXQgXGMgZAorICAq IFxwYXJhbVtpbl0gb2Zmc2V0IG9mZnNldCBpbnRvIGJ1ZmZlciBhdCBcYyBkIGF0IHdoaWNoIElG RCBzdGFydHMKKy0gKiBccGFyYW1baW5dIHJlY3Vyc2lvbl9kZXB0aCBudW1iZXIgb2YgdGltZXMg dGhpcyBmdW5jdGlvbiBoYXMgYmVlbgorLSAqIHJlY3Vyc2l2ZWx5IGNhbGxlZCB3aXRob3V0IHJl dHVybmluZworKyAqIFxwYXJhbVtpbl0gcmVjdXJzaW9uX2Nvc3QgZmFjdG9yIGluZGljYXRpbmcg aG93IGV4cGVuc2l2ZSB0aGlzIHJlY3Vyc2l2ZQorKyAqIGNhbGwgY291bGQgYmUKKyAgKi8KKyBz dGF0aWMgdm9pZAorIGV4aWZfZGF0YV9sb2FkX2RhdGFfY29udGVudCAoRXhpZkRhdGEgKmRhdGEs IEV4aWZJZmQgaWZkLAorIAkJCSAgICAgY29uc3QgdW5zaWduZWQgY2hhciAqZCwKKy0JCQkgICAg IHVuc2lnbmVkIGludCBkcywgdW5zaWduZWQgaW50IG9mZnNldCwgdW5zaWduZWQgaW50IHJlY3Vy c2lvbl9kZXB0aCkKKysJCQkgICAgIHVuc2lnbmVkIGludCBkcywgdW5zaWduZWQgaW50IG9mZnNl dCwgdW5zaWduZWQgaW50IHJlY3Vyc2lvbl9jb3N0KQorIHsKKyAJRXhpZkxvbmcgbywgdGh1bWJu YWlsX29mZnNldCA9IDAsIHRodW1ibmFpbF9sZW5ndGggPSAwOworIAlFeGlmU2hvcnQgbjsKK0BA IC0zNzgsOSArMzkzLDIwIEBAIGV4aWZfZGF0YV9sb2FkX2RhdGFfY29udGVudCAoRXhpZkRhdGEg KmRhdGEsIEV4aWZJZmQgaWZkLAorIAlpZiAoKCgoaW50KWlmZCkgPCAwKSB8fCAoICgoaW50KWlm ZCkgPj0gRVhJRl9JRkRfQ09VTlQpKQorIAkgIHJldHVybjsKKyAKKy0JaWYgKHJlY3Vyc2lvbl9k ZXB0aCA+IDMwKSB7CisrCWlmIChyZWN1cnNpb25fY29zdCA+IDE3MCkgeworKwkJLyoKKysJCSAq IHJlY3Vyc2lvbl9jb3N0IGlzIGEgbG9nYXJpdGhtaWMtc2NhbGUgaW5kaWNhdG9yIG9mIGhvdyBl eHBlbnNpdmUgdGhpcworKwkJICogcmVjdXJzaXZlIGNhbGwgbWlnaHQgZW5kIHVwIGJlaW5nLiBJ dCBpcyBhbiBpbmRpY2F0b3Igb2YgdGhlIGRlcHRoIG9mCisrCQkgKiByZWN1cnNpb24gYXMgd2Vs bCBhcyB0aGUgcG90ZW50aWFsIGZvciB3b3JzdC1jYXNlIGZ1dHVyZSByZWN1cnNpdmUKKysJCSAq IGNhbGxzLiBTaW5jZSBpdCdzIGRpZmZpY3VsdCB0byB0ZWxsIGFoZWFkIG9mIHRpbWUgaG93IG9m dGVuIHJlY3Vyc2lvbgorKwkJICogd2lsbCBvY2N1ciwgdGhpcyBhc3N1bWVzIHRoZSB3b3JzdCBi eSBhc3N1bWluZyBldmVyeSB0YWcgY291bGQgZW5kIHVwCisrCQkgKiBjYXVzaW5nIHJlY3Vyc2lv bi4KKysJCSAqIFRoZSB2YWx1ZSBvZiAxNzAgd2FzIGNob3NlbiB0byBsaW1pdCB0eXBpY2FsIEVY SUYgc3RydWN0dXJlcyB0byBhCisrCQkgKiByZWN1cnNpdmUgZGVwdGggb2YgYWJvdXQgNiwgYnV0 IHBhdGhvbG9naWNhbCBvbmVzICh0aG9zZSB3aXRoIHZlcnkKKysJCSAqIG1hbnkgdGFncykgdG8g b25seSAyLgorKwkJICovCisgCQlleGlmX2xvZyAoZGF0YS0+cHJpdi0+bG9nLCBFWElGX0xPR19D T0RFX0NPUlJVUFRfREFUQSwgIkV4aWZEYXRhIiwKKy0JCQkgICJEZWVwIHJlY3Vyc2lvbiBkZXRl Y3RlZCEiKTsKKysJCQkgICJEZWVwL2V4cGVuc2l2ZSByZWN1cnNpb24gZGV0ZWN0ZWQhIik7Cisg CQlyZXR1cm47CisgCX0KKyAKK0BAIC00MjIsMTUgKzQ0OCwxOCBAQCBleGlmX2RhdGFfbG9hZF9k YXRhX2NvbnRlbnQgKEV4aWZEYXRhICpkYXRhLCBFeGlmSWZkIGlmZCwKKyAJCQlzd2l0Y2ggKHRh ZykgeworIAkJCWNhc2UgRVhJRl9UQUdfRVhJRl9JRkRfUE9JTlRFUjoKKyAJCQkJQ0hFQ0tfUkVD IChFWElGX0lGRF9FWElGKTsKKy0JCQkJZXhpZl9kYXRhX2xvYWRfZGF0YV9jb250ZW50IChkYXRh LCBFWElGX0lGRF9FWElGLCBkLCBkcywgbywgcmVjdXJzaW9uX2RlcHRoICsgMSk7CisrCQkJCWV4 aWZfZGF0YV9sb2FkX2RhdGFfY29udGVudCAoZGF0YSwgRVhJRl9JRkRfRVhJRiwgZCwgZHMsIG8s CisrCQkJCQlyZWN1cnNpb25fY29zdCArIGxldmVsX2Nvc3QobikpOworIAkJCQlicmVhazsKKyAJ CQljYXNlIEVYSUZfVEFHX0dQU19JTkZPX0lGRF9QT0lOVEVSOgorIAkJCQlDSEVDS19SRUMgKEVY SUZfSUZEX0dQUyk7CistCQkJCWV4aWZfZGF0YV9sb2FkX2RhdGFfY29udGVudCAoZGF0YSwgRVhJ Rl9JRkRfR1BTLCBkLCBkcywgbywgcmVjdXJzaW9uX2RlcHRoICsgMSk7CisrCQkJCWV4aWZfZGF0 YV9sb2FkX2RhdGFfY29udGVudCAoZGF0YSwgRVhJRl9JRkRfR1BTLCBkLCBkcywgbywKKysJCQkJ CXJlY3Vyc2lvbl9jb3N0ICsgbGV2ZWxfY29zdChuKSk7CisgCQkJCWJyZWFrOworIAkJCWNhc2Ug RVhJRl9UQUdfSU5URVJPUEVSQUJJTElUWV9JRkRfUE9JTlRFUjoKKyAJCQkJQ0hFQ0tfUkVDIChF WElGX0lGRF9JTlRFUk9QRVJBQklMSVRZKTsKKy0JCQkJZXhpZl9kYXRhX2xvYWRfZGF0YV9jb250 ZW50IChkYXRhLCBFWElGX0lGRF9JTlRFUk9QRVJBQklMSVRZLCBkLCBkcywgbywgcmVjdXJzaW9u X2RlcHRoICsgMSk7CisrCQkJCWV4aWZfZGF0YV9sb2FkX2RhdGFfY29udGVudCAoZGF0YSwgRVhJ Rl9JRkRfSU5URVJPUEVSQUJJTElUWSwgZCwgZHMsIG8sCisrCQkJCQlyZWN1cnNpb25fY29zdCAr IGxldmVsX2Nvc3QobikpOworIAkJCQlicmVhazsKKyAJCQljYXNlIEVYSUZfVEFHX0pQRUdfSU5U RVJDSEFOR0VfRk9STUFUOgorIAkJCQl0aHVtYm5haWxfb2Zmc2V0ID0gbzsKZGlmZiAtLWdpdCBh L3NyY3BrZ3MvbGliZXhpZi90ZW1wbGF0ZSBiL3NyY3BrZ3MvbGliZXhpZi90ZW1wbGF0ZQppbmRl eCBmODg5ODk2ODEwMS4uY2ZjNDU4NzIwY2YgMTAwNjQ0Ci0tLSBhL3NyY3BrZ3MvbGliZXhpZi90 ZW1wbGF0ZQorKysgYi9zcmNwa2dzL2xpYmV4aWYvdGVtcGxhdGUKQEAgLTEsNyArMSw3IEBACiAj IFRlbXBsYXRlIGZpbGUgZm9yICdsaWJleGlmJwogcGtnbmFtZT1saWJleGlmCiB2ZXJzaW9uPTAu Ni4yMQotcmV2aXNpb249NQorcmV2aXNpb249NgogYnVpbGRfc3R5bGU9Z251LWNvbmZpZ3VyZQog Y29uZmlndXJlX2FyZ3M9ImFjX2N2X3BhdGhfRE9YWUdFTj1mYWxzZSIKIHNob3J0X2Rlc2M9IkVY SUYgZmlsZSBsaWJyYXJ5Igo= --===============2435049236301312612==--