Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
From: Sven Eckelmann <sven@narfation.org>
Date: Tue, 26 May 2015 21:05:49 +0200
Message-id: <[🔎] 1899694.SohYYUBa0H@bentobox>
Reply-to: Sven Eckelmann <sven@narfation.org>, 786918@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu


I'd like to upload the attached patch to stable-proposed-updates to fix 
#786785 (CVE-2015-3885). The security team marked this one as no-dsa but asked 
me to propose the fixes for a point release. Would this be ok? The change 
matches exactimage 0.9.1-5 + the backported "dependency" patch to get the 
ljpeg_start result validation after the ljpeg_start call. The latter change 
was in unstable before 0.9.1-5 and is required to test the patch.



Just some information to the patch (taken from my mail to the security team):

The patch was not tested against any official "special crafted image" because
none was provided with the CVE. Instead a raw image was downloaded [1] and
modified to have the len at 0x13800+0x13801 set to 0. This causes an underflow
+ endless loop in the original version of dcraw. But this also showed that the
wheezy/jessie version of exactimage did ljpeg_start() + the jh.*
validation in the wrong order and thus made the jh.* validation read
"uninintialized" data from the stack. This additional problem was fixed in an
extra patch "draw_jpeg_fix.patch". The original dcraw problem could be
reproduced after that jh.* patch was applied without the CVE fix. The test was 
run via:

$ econvert -i RAW_CANON_EOS_5DMARK3.CR2 -o test.png

The versions of exactimage with both patches doesn't crash or hang anymore
when testing with the modified RAW_CANON_EOS_5DMARK3.CR2.

The patch is the one from rawstudio mentioned in CVE-2015-3885.

Kind regards,
	Sven

[1] http://www.rawsamples.ch/raws/canon/RAW_CANON_EOS_5DMARK3.CR2

diff -Nru exactimage-0.8.9/debian/changelog exactimage-0.8.9/debian/changelog
--- exactimage-0.8.9/debian/changelog	2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/changelog	2015-05-25 19:23:02.000000000 +0200
@@ -1,3 +1,14 @@
+exactimage (0.8.9-7+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw
+  * debian/patches:
+    - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start()
+      (Closes: #786785)
+    - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and
+      result check
+
+ -- Sven Eckelmann <sven@narfation.org>  Mon, 25 May 2015 17:45:27 +0200
+
 exactimage (0.8.9-7) unstable; urgency=medium
 
   * debian/rules:
diff -Nru exactimage-0.8.9/debian/patches/CVE-2015-3885.patch exactimage-0.8.9/debian/patches/CVE-2015-3885.patch
--- exactimage-0.8.9/debian/patches/CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/CVE-2015-3885.patch	2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Avoid overflow in ljpeg_start().
+Author: Anders Brander <anders@brander.dk>
+Origin: backport, https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index b115191c2f8f049e8ad933e0f83de52568413ec2..2f24f0f73744520a87cf6dc2eeb7dea84e83a563 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -775,7 +775,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
diff -Nru exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch
--- exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch	2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix execution order of ljpeg_start() and result check
+Author: René Rebe <rene@exactcode.de>
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 2f24f0f73744520a87cf6dc2eeb7dea84e83a563..5584fef46c9759776475683a17d252b723a58ee5 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -893,12 +893,12 @@ void CLASS lossless_jpeg_load_raw()
+   struct jhead jh;
+   ushort *rp;
+ 
+-  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+-    longjmp (failure, 2);
+-
+   if (!ljpeg_start (&jh, 0)) return;
+   jwide = jh.wide * jh.clrs;
+ 
++  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++    longjmp (failure, 2);
++
+   for (jrow=0; jrow < jh.high; jrow++) {
+     rp = ljpeg_row (jrow, &jh);
+     if (load_flags & 1)
diff -Nru exactimage-0.8.9/debian/patches/series exactimage-0.8.9/debian/patches/series
--- exactimage-0.8.9/debian/patches/series	2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/patches/series	2015-05-25 19:23:02.000000000 +0200
@@ -13,3 +13,5 @@
 libgif.patch
 ftbfs_evas_object.patch
 perl_vendor_dir.patch
+CVE-2015-3885.patch
+draw_jpeg_fix.patch

Reply to:

Follow-Ups:
- Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
Previous by thread: Processed: Re: Bug#786912: jessie-pu: package usemod-wiki/1.0.5-3
Next by thread: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
Index(es):
- Date
- Thread