!41 [sync] PR-39: fix CVE-2020-0452

From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

41bd04234b104312f54d25822f68738ba8d7133d.patch

@@ -1,60 +0,0 @@
-From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Tue, 25 Jul 2017 23:44:44 +0200
-Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
- makernote entries.
-
-This should fix:
-https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
----
- libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
-index d03d159..ea0429a 100644
---- a/libexif/pentax/mnote-pentax-entry.c
-+++ b/libexif/pentax/mnote-pentax-entry.c
-@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
- 		case EXIF_FORMAT_SHORT:
- 		  {
- 			const unsigned char *data = entry->data;
--		  	size_t k, len = strlen(val);
-+		  	size_t k, len = strlen(val), sizeleft;
-+
-+			sizeleft = entry->size;
- 		  	for(k=0; k<entry->components; k++) {
-+				if (sizeleft < 2)
-+					break;
- 				vs = exif_get_short (data, entry->order);
- 				snprintf (val+len, maxlen-len, "%i ", vs);
- 				len = strlen(val);
- 				data += 2;
-+				sizeleft -= 2;
- 			}
- 		  }
- 		  break;
- 		case EXIF_FORMAT_LONG:
- 		  {
- 			const unsigned char *data = entry->data;
--		  	size_t k, len = strlen(val);
-+		  	size_t k, len = strlen(val), sizeleft;
-+
-+			sizeleft = entry->size;
- 		  	for(k=0; k<entry->components; k++) {
-+				if (sizeleft < 4)
-+					break;
- 				vl = exif_get_long (data, entry->order);
- 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
- 				len = strlen(val);
- 				data += 4;
-+				sizeleft -= 4;
- 			}
- 		  }
- 		  break;
-@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
- 		break;
- 	}
- 
--	return (val);
-+	return val;
- }

CVE-2018-20030.patch

@@ -1,93 +0,0 @@
---- libexif-0.6.21-bak/libexif/exif-data.c	2019-06-13 21:49:15.711000000 -0400
-+++ libexif-0.6.21/libexif/exif-data.c	2019-06-13 23:31:41.672000000 -0400
-@@ -35,6 +35,7 @@
- #include <libexif/olympus/exif-mnote-data-olympus.h>
- #include <libexif/pentax/exif-mnote-data-pentax.h>
- 
-+#include <math.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) {				\
- 	break;						\
- }
- 
-+/*! Calculate the recursion cost added by one level of IFD loading.
-+ *
-+ * The work performed is related to the cost in the exponential relation
-+ *   work=1.1**cost
-+ */
-+static unsigned int
-+level_cost(unsigned int n)
-+{
-+    static const double log_1_1 = 0.09531017980432493;
-+
-+	/* Adding 0.1 protects against the case where n==1 */
-+	return ceil(log(n + 0.1)/log_1_1);
-+}
-+
- /*! Load data for an IFD.
-  *
-  * \param[in,out] data #ExifData
-@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) {				\
-  * \param[in] d pointer to buffer containing raw IFD data
-  * \param[in] ds size of raw data in buffer at \c d
-  * \param[in] offset offset into buffer at \c d at which IFD starts
-- * \param[in] recursion_depth number of times this function has been
-- * recursively called without returning
-+ * \param[in] recursion_cost factor indicating how expensive this recursive
-+ * call could be
-  */
- static void
- exif_data_load_data_content (ExifData *data, ExifIfd ifd,
- 			     const unsigned char *d,
--			     unsigned int ds, unsigned int offset, unsigned int recursion_depth)
-+			     unsigned int ds, unsigned int offset, unsigned int recursion_cost)
- {
- 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
- 	ExifShort n;
-@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *d
- 	if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
- 	  return;
- 
--	if (recursion_depth > 30) {
-+      	if (recursion_cost > 170) {
-+		/*
-+		 * recursion_cost is a logarithmic-scale indicator of how expensive this
-+		 * recursive call might end up being. It is an indicator of the depth of
-+		 * recursion as well as the potential for worst-case future recursive
-+		 * calls. Since it's difficult to tell ahead of time how often recursion
-+		 * will occur, this assumes the worst by assuming every tag could end up
-+		 * causing recursion.
-+		 * The value of 170 was chosen to limit typical EXIF structures to a
-+		 * recursive depth of about 6, but pathological ones (those with very
-+		 * many tags) to only 2.
-+		 */ 
- 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
--			  "Deep recursion detected!");
-+               		  "Deep/expensive recursion detected!"); 
- 		return;
- 	}
- 
-@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *d
- 			switch (tag) {
- 			case EXIF_TAG_EXIF_IFD_POINTER:
- 				CHECK_REC (EXIF_IFD_EXIF);
--				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
-+				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
-+					recursion_cost + level_cost(n));
- 				break;
- 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
- 				CHECK_REC (EXIF_IFD_GPS);
--				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
-+				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
-+					recursion_cost + level_cost(n));
- 				break;
- 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
- 				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
--				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
-+				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
-+					recursion_cost + level_cost(n));
- 				break;
- 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
- 				thumbnail_offset = o;

CVE-2020-0198.patch

@@ -0,0 +1,58 @@
+From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Mon, 8 Jun 2020 17:27:06 +0200
+Subject: [PATCH] fixed another unsigned integer overflow
+
+first fixed by google in android fork,
+https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
+
+(use a more generic overflow check method, also check second overflow instance.)
+
+https://security-tracker.debian.org/tracker/CVE-2020-0198
+---
+ libexif/exif-data.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 8b280d3..b495726 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+ 
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+ 		return;
+ 	}
+-	if (s > ds - o) {
++	if (CHECKOVERFLOW(o,ds,s)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	}
+ 
+ 	/* Read the number of entries */
+-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
++	if (CHECKOVERFLOW(offset, ds, 2)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
++			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
+ 		return;
+ 	}
+ 	n = exif_get_short (d + offset, data->priv->order);
+@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	offset += 2;
+ 
+ 	/* Check if we have enough data. */
+-	if (offset + 12 * n > ds) {
++	if (CHECKOVERFLOW(offset, ds, 12*n)) {
+ 		n = (ds - offset) / 12;
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 				  "Short data; only loading %hu entries...", n);

backport-CVE-2020-0452.patch

@@ -0,0 +1,31 @@
+From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Thu, 5 Nov 2020 09:50:08 +0100
+Subject: [PATCH] fixed a incorrect overflow check that could be optimized
+ away.
+
+inspired by:
+https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
+
+https://source.android.com/security/bulletin/2020-11-01
+
+CVE-2020-0452
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 3fc0ff92..4b866cee 100644
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 	{
+ 		unsigned char *utf16;
+ 
+-		/* Sanity check the size to prevent overflow */
+-		if (e->size+sizeof(uint16_t)+1 < e->size) break;
++		/* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
++		if (e->size >= 65536 - sizeof(uint16_t)*2) break;
+ 
+ 		/* The tag may not be U+0000-terminated , so make a local
+ 		   U+0000-terminated copy before converting it */

backport-fuzz-stack-overflow.patch

@@ -0,0 +1,34 @@
+From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Mon, 6 Sep 2021 08:42:56 +0200
+Subject: [PATCH] replace tail recursion by direct loop, in case the compiler
+ does not translate it into a tail recursion it could be used to cause stack
+ overruns (oss-fuzz)
+
+---
+ libexif/exif-loader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
+index e376465..5c48faf 100644
+--- a/libexif/exif-loader.c
++++ b/libexif/exif-loader.c
+@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ {
+ 	unsigned int i;
+ 
++begin:
+ 	if (!eld || (len && !buf)) 
+ 		return 0;
+ 
+@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ 	 * to read all data we need. Fill it with new data.
+ 	 */
+ 	eld->b_len = 0;
+-	return exif_loader_write (eld, buf, len);
++	goto begin;
+ }
+ 
+ ExifLoader *
+-- 
+2.27.0

backport-fuzz-timeout-and-out-of-memory.patch

@@ -0,0 +1,38 @@
+From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 30 Jan 2021 14:06:08 +0100
+Subject: [PATCH] limit the amount of tags we allow in the makernote here.
+
+due to memory layout the max amount of 65536 tags could be used
+to exhaust lots of memory and time during parsing,
+as each tag can reuse the same memory range.
+
+(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
+
+This fixes OSS-FUZZ issue 27280.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 45e4bc5..0c68d51 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 	c = exif_get_short (buf + o2, n->order);
+ 	o2 += 2;
+ 
++	/* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
++	 * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
++	if (c > 300) {
++		exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
++		return;
++	}
++
+ 	/* Remove any old entries */
+ 	exif_mnote_data_olympus_clear (n);
+ 
+-- 
+2.27.0

libexif-0.6.21_CVE-2017-7544.patch

@@ -1,17 +0,0 @@
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index 67df4db..91f4c33 100644
---- a/libexif/exif-data.c
-+++ b/libexif/exif-data.c
-@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
- 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
- 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
- 			e->components = e->size;
-+			if (exif_format_get_size (e->format) != 1) {
-+				/* e->format is taken from input code,
-+				 * but we need to make sure it is a 1 byte
-+				 * entity due to the multiplication below. */
-+				e->format = EXIF_FORMAT_UNDEFINED;
-+			}
- 		}
- 	}
- 

libexif-bugfix-division-0.patch

@@ -1,37 +0,0 @@
-From d66dea055522290c1ef34e3ae914146cd52b5d8e Mon Sep 17 00:00:00 2001
-From: songnannan2 <songnannan2@huawei.com>
-Date: Sat, 15 Feb 2020 20:44:53 +0800
-Subject: [PATCH] libexif: modification summary
-
----
- libexif-0.6.21/libexif/exif-entry.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
-index 54a90a2..436e8a7 100644
---- a/libexif/exif-entry.c
-+++ b/libexif/exif-entry.c
-@@ -1085,7 +1085,7 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
- 			break;
- 		}
- 		d = (double) v_rat.numerator / (double) v_rat.denominator;
--		if (d < 1)
-+		if (d < 1 && d)
- 			snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
- 		else
- 			snprintf (val, maxlen, "%i", (int) d);
-@@ -1102,8 +1102,9 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
- 		}
- 		d = (double) v_srat.numerator / (double) v_srat.denominator;
- 		snprintf (val, maxlen, _("%.02f EV"), d);
--		d = 1. / pow (2, d);
--		if (d < 1)
-+		if (pow (2, d))
-+			d = 1. / pow (2, d);
-+		if (d < 1 && d)
- 		  snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
- 		else
- 		  snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
--- 
-2.19.1
-

libexif-bugfix-integer-overflow.patch

@@ -1,25 +0,0 @@
-From c7c4de72c04b5b795ce8df9c49648431bd22ee7e Mon Sep 17 00:00:00 2001
-From: songnannan2 <songnannan2@huawei.com>
-Date: Mon, 17 Feb 2020 15:41:28 +0800
-Subject: [PATCH] bugfix in Integer overflow
-
----
- libexif/exif-loader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libexif-0.6.21/libexif/exif-loader.c b/libexif-0.6.21/libexif/exif-loader.c
-index 317b86b..e376465 100644
---- a/libexif/exif-loader.c
-+++ b/libexif/exif-loader.c
-@@ -239,7 +239,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
- 			break;
- 
- 		case EL_READ_SIZE_BYTE_24:
--			eld->size |= eld->b[i] << 24;
-+			eld->size |= (unsigned int)eld->b[i] << 24;
- 			eld->state = EL_READ_SIZE_BYTE_16;
- 			break;
- 		case EL_READ_SIZE_BYTE_16:
--- 
-2.19.1
-

libexif-bugfix-overflow.patch

@@ -1,36 +0,0 @@
-From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
-From: Dan Fandrich <dan@coneharvesters.com>
-Date: Wed, 4 Jul 2018 11:06:09 +0200
-Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
-
-While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
-the end of a heap buffer. This was detected by the OSS Fuzz project.
-Patch from Google.
-
-Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
----
- libexif/exif-entry.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
-index 61260d3..a224ac2 100644
---- a/libexif/exif-entry.c
-+++ b/libexif/exif-entry.c
-@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
- 		d = 0.;
- 		entry = exif_content_get_entry (
- 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
--		if (entry && entry->data &&
-+		if (entry && entry->data && entry->size >= 7 &&
- 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
- 			entry = exif_content_get_entry (
- 					e->parent->parent->ifd[EXIF_IFD_0],
- 					EXIF_TAG_MODEL);
--			if (entry && entry->data) {
-+			if (entry && entry->data && entry->size >= 8) {
- 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
- 					d = 3.9;
- 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
-
-

libexif-bugfix-unsigned-int.patch

@@ -1,30 +0,0 @@
-From cf37dc7934bbb10dc5d0c17db260a25aa2831595 Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Sat, 18 Jan 2020 19:50:38 +0100
-Subject: [PATCH] cast to unsigned int before shifting left
-
-(weird integer promotion, a unsigned char will be first tried to be promoted to "int" apparently,
-so we need to cast it to avoid implicit behaviour)
-
-fixes https://github.com/libexif/libexif/issues/20
----
- libexif/exif-utils.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
-index 9083ddc..8a92907 100644
---- a/libexif/exif-utils.c
-+++ b/libexif/exif-utils.c
-@@ -132,9 +132,9 @@ exif_get_slong (const unsigned char *b, ExifByteOrder order)
- 	if (!b) return 0;
-         switch (order) {
-         case EXIF_BYTE_ORDER_MOTOROLA:
--                return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]);
-+                return (((uint32_t)b[0] << 24) | ((uint32_t)b[1] << 16) | ((uint32_t)b[2] << 8) | (uint32_t)b[3]);
-         case EXIF_BYTE_ORDER_INTEL:
--                return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
-+                return (((uint32_t)b[3] << 24) | ((uint32_t)b[2] << 16) | ((uint32_t)b[1] << 8) | (uint32_t)b[0]);
-         }
- 
- 	/* Won't be reached */
-

libexif.spec

@@ -1,21 +1,20 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
-Version:        0.6.21
-Release:        20
+Version:        0.6.22
+Release:        5
 License:        LGPLv2+
 URL:            https://libexif.github.io/
-Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
 
-Patch0:         41bd04234b104312f54d25822f68738ba8d7133d.patch
-Patch6000:      libexif-0.6.21_CVE-2017-7544.patch
-Patch6001:      CVE-2018-20030.patch
-Patch6003:      libexif-bugfix-division-0.patch
-Patch6004:	libexif-bugfix-integer-overflow.patch
-Patch6005: 	libexif-bugfix-unsigned-int.patch
-Patch6006:	libexif-bugfix-overflow.patch
-Patch9001:	libexif-bugfix-integer-overflow-pentax.patch
+Source0:        https://github.com/libexif/libexif/archive/libexif-%(echo %{version} | sed "s/\./_/g")-release.tar.gz
 
-BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
+Patch0:         CVE-2020-0198.patch
+Patch6000:	backport-fuzz-stack-overflow.patch
+Patch6001:	backport-fuzz-timeout-and-out-of-memory.patch
+Patch6002:      backport-CVE-2020-0452.patch
+
+Patch9000:	libexif-bugfix-integer-overflow-pentax.patch
+
+BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig
 
 %description
 Most digital cameras produce EXIF files, which are JPEG files with
@@ -25,6 +24,7 @@ allows you to parse an EXIF file and read the data from those tags.
 %package        devel
 Summary:        Files needed for libexif application development
 Requires:       %{name}%{?_isa} = %{version}-%{release} pkgconfig
+Requires:       pkgconfig
 
 %description devel
 The libexif-devel package contains the libraries and header files
@@ -33,15 +33,18 @@ for writing programs that use libexif.
 %package_help
 
 %prep
-%autosetup -n %{name}-%{version} -p1 -S git
+%autosetup -n libexif-libexif-0_6_22-release -p1 
+
 %build
 autoreconf -fiv
-%configure
+%configure --disable-static
 %make_build
 
 %install
 %make_install
 %delete_la
+
+rm -rf %{buildroot}%{_datadir}/doc/libexif
 cp -R doc/doxygen-output/libexif-api.html .
 iconv -f latin1 -t utf-8 < COPYING > COPYING.utf8; cp COPYING.utf8 COPYING
 iconv -f latin1 -t utf-8 < README > README.utf8; cp README.utf8 README
@@ -62,15 +65,31 @@ make check
 %defattr(-,root,root)
 %{_includedir}/libexif
 %{_libdir}/*.so
-%{_libdir}/*.a
 %{_libdir}/pkgconfig/*.pc
-%exclude %{_datadir}/doc/libexif
 
 %files help
 %defattr(-,root,root)
 %doc libexif-api.html NEWS
 
 %changelog
+* Mon Jan 15 2024 zhouwenpei <zhouwenpei1@h-partners.com> - 0.6.22-5
+- fix CVE-2020-0452
+
+* Thu Aug 24 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 0.6.22-4
+- fix typo in changelog
+
+* Tue Oct 18 2022 wangkerong <wangkerong@h-partners.com> - 0.6.22-3
+- fix fuzz test error
+
+* Thu Sep 10 2020 hanhui <hanhui15@huawei.com> - 0.6.22-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:modify source url
+
+* Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.22-1
+- update to 0.6.22
+
 * Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 0.6.21-20
 - bugfix in oss-fuzz