Review squeeze-lts exactimage/0.8.1-3+deb6u4
Hi,
I'd like to upload the attached patch to squeeze-lts to fix #786785
(CVE-2015-3885). The security team marked this one as no-dsa (therefore also
no DLA). The change matches exactimage 0.9.1-5 + the backported "dependency"
patch to get the ljpeg_start result validation after the ljpeg_start call. The
latter change was in unstable before 0.9.1-5 and is required to test the
patch.
Sorry for not completely following the steps from the wiki page [2]. The
access for secure-testing was granted but the commit rights/groups are
not yet synced). I was also not able to find a lot of similar review requests
(as example for my own) but still want some feedback before trying my first
upload to squeeze-lts. Sorry when this review request is not in the correct
format.
Just some information to the patch (taken from my mail to the security team):
The patch was not tested against any official "special crafted image" because
none was provided with the CVE. Instead a raw image was downloaded [1] and
modified to have the len at 0x13800+0x13801 set to 0. This causes an underflow
+ endless loop in the original version of dcraw. But this also showed that the
wheezy/jessie version of exactimage did ljpeg_start() + the jh.*
validation in the wrong order and thus made the jh.* validation read
"uninintialized" data from the stack. This additional problem was fixed in an
extra patch "draw_jpeg_fix.patch". The original dcraw problem could be
reproduced after that jh.* patch was applied without the CVE fix. The test was
run via:
$ econvert -i RAW_CANON_EOS_5DMARK3.CR2 -o test.png
The versions of exactimage with both patches doesn't crash or hang anymore
when testing with the modified RAW_CANON_EOS_5DMARK3.CR2.
The patch is the one from rawstudio with a minor context adjustment to make it
apply in the squeeze version of exactimage.
Kind regards,
Sven
[1] http://www.rawsamples.ch/raws/canon/RAW_CANON_EOS_5DMARK3.CR2
[2] https://wiki.debian.org/LTS/Development#Prepare_security_updates_for_squeeze-lts
diff -Nru exactimage-0.8.1/debian/changelog exactimage-0.8.1/debian/changelog
--- exactimage-0.8.1/debian/changelog 2013-09-10 00:06:06.000000000 +0200
+++ exactimage-0.8.1/debian/changelog 2015-05-25 19:29:28.000000000 +0200
@@ -1,3 +1,14 @@
+exactimage (0.8.1-3+deb6u4) squeeze-lts; urgency=high
+
+ * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw
+ * debian/patches:
+ - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start()
+ (Closes: #786785)
+ - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and
+ result check
+
+ -- Sven Eckelmann <sven@narfation.org> Mon, 25 May 2015 18:03:23 +0200
+
exactimage (0.8.1-3+deb6u3) oldstable-security; urgency=high
* Add debian/patches/CVE-2013-1441.patch,
diff -Nru exactimage-0.8.1/debian/patches/CVE-2015-3885.patch exactimage-0.8.1/debian/patches/CVE-2015-3885.patch
--- exactimage-0.8.1/debian/patches/CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.1/debian/patches/CVE-2015-3885.patch 2015-05-25 19:29:28.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Avoid overflow in ljpeg_start().
+Author: Anders Brander <anders@brander.dk>
+Origin: backport, https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 0436d34a40ee515a65513a7217dec97b3cde8946..8f56add58755843ace29b71c659b6173569f8e9a 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -836,7 +836,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000], *dp;
+
+ init_decoder();
diff -Nru exactimage-0.8.1/debian/patches/draw_jpeg_fix.patch exactimage-0.8.1/debian/patches/draw_jpeg_fix.patch
--- exactimage-0.8.1/debian/patches/draw_jpeg_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.1/debian/patches/draw_jpeg_fix.patch 2015-05-25 19:29:28.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix execution order of ljpeg_start() and result check
+Author: René Rebe <rene@exactcode.de>
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 8f56add58755843ace29b71c659b6173569f8e9a..66e32cf185f681657edda3c372b50b1d7b24b2c3 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -954,12 +954,12 @@ void CLASS lossless_jpeg_load_raw()
+ int min=INT_MAX;
+ ushort *rp;
+
+- if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+- longjmp (failure, 2);
+-
+ if (!ljpeg_start (&jh, 0)) return;
+ jwide = jh.wide * jh.clrs;
+
++ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++ longjmp (failure, 2);
++
+ for (jrow=0; jrow < jh.high; jrow++) {
+ rp = ljpeg_row (jrow, &jh);
+ for (jcol=0; jcol < jwide; jcol++) {
diff -Nru exactimage-0.8.1/debian/patches/series exactimage-0.8.1/debian/patches/series
--- exactimage-0.8.1/debian/patches/series 2013-09-10 00:06:06.000000000 +0200
+++ exactimage-0.8.1/debian/patches/series 2015-05-25 19:29:28.000000000 +0200
@@ -4,3 +4,5 @@
abs-int64_t.diff
CVE-2013-1438.patch
CVE-2013-1441.patch
+CVE-2015-3885.patch
+draw_jpeg_fix.patch
Reply to: