Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
From: Sven Eckelmann <sven@narfation.org>
Date: Tue, 26 May 2015 21:05:51 +0200
Message-id: <[🔎] 9553236.b74uiPuGAm@bentobox>
Reply-to: Sven Eckelmann <sven@narfation.org>, 786919@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu


I'd like to upload the attached patch to oldstable-proposed-updates to fix 
#786785 (CVE-2015-3885). The security team marked this one as no-dsa but asked 
me to propose the fixes for a point release. Would this be ok? The change 
matches exactimage 0.9.1-5 + the backported "dependency" patch to get the 
ljpeg_start result validation after the ljpeg_start call. The latter change 
was in unstable before 0.9.1-5 and is required to test the patch.



Just some information to the patch (taken from my mail to the security team):

The patch was not tested against any official "special crafted image" because
none was provided with the CVE. Instead a raw image was downloaded [1] and
modified to have the len at 0x13800+0x13801 set to 0. This causes an underflow
+ endless loop in the original version of dcraw. But this also showed that the
wheezy/jessie version of exactimage did ljpeg_start() + the jh.*
validation in the wrong order and thus made the jh.* validation read
"uninintialized" data from the stack. This additional problem was fixed in an
extra patch "draw_jpeg_fix.patch". The original dcraw problem could be
reproduced after that jh.* patch was applied without the CVE fix. The test was 
run via:

$ econvert -i RAW_CANON_EOS_5DMARK3.CR2 -o test.png

The versions of exactimage with both patches doesn't crash or hang anymore
when testing with the modified RAW_CANON_EOS_5DMARK3.CR2.

The patch is the one from rawstudio with a minor context adjustment to make it
apply in the wheezy version of exactimage.

Kind regards,
	Sven

[1] http://www.rawsamples.ch/raws/canon/RAW_CANON_EOS_5DMARK3.CR2

diff -Nru exactimage-0.8.5/debian/changelog exactimage-0.8.5/debian/changelog
--- exactimage-0.8.5/debian/changelog	2013-09-10 00:06:30.000000000 +0200
+++ exactimage-0.8.5/debian/changelog	2015-05-25 19:28:21.000000000 +0200
@@ -1,3 +1,14 @@
+exactimage (0.8.5-5+deb7u4) wheezy; urgency=medium
+
+  * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw
+  * debian/patches:
+    - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start()
+      (Closes: #786785)
+    - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and
+      result check
+
+ -- Sven Eckelmann <sven@narfation.org>  Mon, 25 May 2015 17:57:23 +0200
+
 exactimage (0.8.5-5+deb7u3) stable-security; urgency=high
 
   * Add debian/patches/CVE-2013-1441.patch,
diff -Nru exactimage-0.8.5/debian/patches/CVE-2015-3885.patch exactimage-0.8.5/debian/patches/CVE-2015-3885.patch
--- exactimage-0.8.5/debian/patches/CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.5/debian/patches/CVE-2015-3885.patch	2015-05-25 19:28:21.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Avoid overflow in ljpeg_start().
+Author: Anders Brander <anders@brander.dk>
+Origin: backport, https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 0436d34a40ee515a65513a7217dec97b3cde8946..8f56add58755843ace29b71c659b6173569f8e9a 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -836,7 +836,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000], *dp;
+ 
+   init_decoder();
diff -Nru exactimage-0.8.5/debian/patches/draw_jpeg_fix.patch exactimage-0.8.5/debian/patches/draw_jpeg_fix.patch
--- exactimage-0.8.5/debian/patches/draw_jpeg_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.5/debian/patches/draw_jpeg_fix.patch	2015-05-25 19:28:21.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix execution order of ljpeg_start() and result check
+Author: René Rebe <rene@exactcode.de>
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 8f56add58755843ace29b71c659b6173569f8e9a..66e32cf185f681657edda3c372b50b1d7b24b2c3 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -954,12 +954,12 @@ void CLASS lossless_jpeg_load_raw()
+   int min=INT_MAX;
+   ushort *rp;
+ 
+-  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+-    longjmp (failure, 2);
+-
+   if (!ljpeg_start (&jh, 0)) return;
+   jwide = jh.wide * jh.clrs;
+ 
++  if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++    longjmp (failure, 2);
++
+   for (jrow=0; jrow < jh.high; jrow++) {
+     rp = ljpeg_row (jrow, &jh);
+     for (jcol=0; jcol < jwide; jcol++) {
diff -Nru exactimage-0.8.5/debian/patches/series exactimage-0.8.5/debian/patches/series
--- exactimage-0.8.5/debian/patches/series	2013-09-10 00:06:30.000000000 +0200
+++ exactimage-0.8.5/debian/patches/series	2015-05-25 19:28:21.000000000 +0200
@@ -12,3 +12,5 @@
 optimize2bw_denoise.patch
 CVE-2013-1438.patch
 CVE-2013-1441.patch
+CVE-2015-3885.patch
+draw_jpeg_fix.patch

Reply to:

Follow-Ups:
- Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
Next by Date: Re: Adding new packages to the key package list
Previous by thread: Processed: Re: Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
Next by thread: Bug#786919: wheezy-pu: package exactimage/0.8.5-5+deb7u4
Index(es):
- Date
- Thread