Your message dated Sat, 05 Sep 2015 14:31:07 +0100 with message-id <1441459867.2151.32.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for 8.2 has caused the Debian Bug report #788241, regarding jessie-pu: package rawtherapee/4.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 788241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788241 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package rawtherapee/4.2-1
- From: Philip Rinn <rinni@inventati.org>
- Date: Tue, 09 Jun 2015 19:46:25 +0200
- Message-id: <20150609174625.6663.24913.reportbug@debian.samsung.router>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, rawtherapee is affected by the security issue CVE-2015-3885[1]. It's marked no- das that's why I want to coordinate the update with you. I attached the debdiff. Best, Philip [1]https://security-tracker.debian.org/tracker/CVE-2015-3885diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog --- rawtherapee-4.2/debian/changelog 2014-10-26 14:00:08.000000000 +0100 +++ rawtherapee-4.2/debian/changelog 2015-05-16 19:09:19.000000000 +0200 @@ -1,3 +1,10 @@ +rawtherapee (4.2-1+deb8u1) jessie-security; urgency=high + + * Add patch debian/patches/02-fix_CVE-2015-3885.patch: + - Fix dcraw imput sanitization errors (CVE-2015-3885) + + -- Philip Rinn <rinni@inventati.org> Thu, 16 May 2015 19:09:23 +0200 + rawtherapee (4.2-1) unstable; urgency=medium * New upstream release: diff -Nru rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch --- rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100 +++ rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 2015-05-14 17:41:45.000000000 +0200 @@ -0,0 +1,28 @@ +Author: Philip Rinn <rinni@inventati.org> +Description: Fix CVE-2015-3885 +Source: https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e +Last-update: 2015-05-14 +--- a/rtengine/dcraw.c ++++ b/rtengine/dcraw.c +@@ -824,7 +824,8 @@ + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + +--- a/rtengine/dcraw.cc ++++ b/rtengine/dcraw.cc +@@ -787,7 +787,8 @@ + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + diff -Nru rawtherapee-4.2/debian/patches/series rawtherapee-4.2/debian/patches/series --- rawtherapee-4.2/debian/patches/series 2014-10-26 13:55:22.000000000 +0100 +++ rawtherapee-4.2/debian/patches/series 2015-05-14 17:30:07.000000000 +0200 @@ -1 +1,2 @@ 01-fix_build_race-condition.patch +02-fix_CVE-2015-3885.patch
--- End Message ---
--- Begin Message ---
- To: 782381-done@bugs.debian.org, 785573-done@bugs.debian.org, 785780-done@bugs.debian.org, 787067-done@bugs.debian.org, 787299-done@bugs.debian.org, 787478-done@bugs.debian.org, 787635-done@bugs.debian.org, 787642-done@bugs.debian.org, 787692-done@bugs.debian.org, 787806-done@bugs.debian.org, 787867-done@bugs.debian.org, 787904-done@bugs.debian.org, 787952-done@bugs.debian.org, 788054-done@bugs.debian.org, 788110-done@bugs.debian.org, 788241-done@bugs.debian.org, 788283-done@bugs.debian.org, 788531-done@bugs.debian.org, 788608-done@bugs.debian.org, 788612-done@bugs.debian.org, 788615-done@bugs.debian.org, 788665-done@bugs.debian.org, 788928-done@bugs.debian.org, 788938-done@bugs.debian.org, 789189-done@bugs.debian.org, 789393-done@bugs.debian.org, 789724-done@bugs.debian.org, 789786-done@bugs.debian.org, 790060-done@bugs.debian.org, 790245-done@bugs.debian.org, 790833-done@bugs.debian.org, 790939-done@bugs.debian.org, 791792-done@bugs.debian.org, 792369-done@bugs.debian.org, 792452-done@bugs.debian.org, 793020-done@bugs.debian.org, 793163-done@bugs.debian.org, 793430-done@bugs.debian.org, 793470-done@bugs.debian.org, 793688-done@bugs.debian.org, 794003-done@bugs.debian.org, 794090-done@bugs.debian.org, 794407-done@bugs.debian.org, 795165-done@bugs.debian.org, 795271-done@bugs.debian.org, 795491-done@bugs.debian.org, 795706-done@bugs.debian.org, 795794-done@bugs.debian.org, 795911-done@bugs.debian.org, 795947-done@bugs.debian.org, 796088-done@bugs.debian.org, 796112-done@bugs.debian.org, 796379-done@bugs.debian.org, 796573-done@bugs.debian.org, 796595-done@bugs.debian.org, 796846-done@bugs.debian.org, 796975-done@bugs.debian.org, 797083-done@bugs.debian.org, 797179-done@bugs.debian.org, 797201-done@bugs.debian.org, 797209-done@bugs.debian.org, 797246-done@bugs.debian.org, 797304-done@bugs.debian.org, 797328-done@bugs.debian.org
- Subject: Closing p-u bugs for 8.2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 05 Sep 2015 14:31:07 +0100
- Message-id: <1441459867.2151.32.camel@adam-barratt.org.uk>
Version: 8.2 Hi, These bugs correspond to updates which were included in the 8.2 point release. Regards, Adam
--- End Message ---