Bug#786918: jessie-pu: package exactimage/0.8.9-7+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to upload the attached patch to stable-proposed-updates to fix
#786785 (CVE-2015-3885). The security team marked this one as no-dsa but asked
me to propose the fixes for a point release. Would this be ok? The change
matches exactimage 0.9.1-5 + the backported "dependency" patch to get the
ljpeg_start result validation after the ljpeg_start call. The latter change
was in unstable before 0.9.1-5 and is required to test the patch.
Just some information to the patch (taken from my mail to the security team):
The patch was not tested against any official "special crafted image" because
none was provided with the CVE. Instead a raw image was downloaded [1] and
modified to have the len at 0x13800+0x13801 set to 0. This causes an underflow
+ endless loop in the original version of dcraw. But this also showed that the
wheezy/jessie version of exactimage did ljpeg_start() + the jh.*
validation in the wrong order and thus made the jh.* validation read
"uninintialized" data from the stack. This additional problem was fixed in an
extra patch "draw_jpeg_fix.patch". The original dcraw problem could be
reproduced after that jh.* patch was applied without the CVE fix. The test was
run via:
$ econvert -i RAW_CANON_EOS_5DMARK3.CR2 -o test.png
The versions of exactimage with both patches doesn't crash or hang anymore
when testing with the modified RAW_CANON_EOS_5DMARK3.CR2.
The patch is the one from rawstudio mentioned in CVE-2015-3885.
Kind regards,
Sven
[1] http://www.rawsamples.ch/raws/canon/RAW_CANON_EOS_5DMARK3.CR2
diff -Nru exactimage-0.8.9/debian/changelog exactimage-0.8.9/debian/changelog
--- exactimage-0.8.9/debian/changelog 2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/changelog 2015-05-25 19:23:02.000000000 +0200
@@ -1,3 +1,14 @@
+exactimage (0.8.9-7+deb8u1) jessie; urgency=medium
+
+ * Fix CVE-2015-3885: Integer overflow in the ljpeg_start function in dcraw
+ * debian/patches:
+ - Add CVE-2015-3885.patch, Avoid overflow in ljpeg_start()
+ (Closes: #786785)
+ - Add draw_jpeg_fix.patch, Fix execution order of ljpeg_start() and
+ result check
+
+ -- Sven Eckelmann <sven@narfation.org> Mon, 25 May 2015 17:45:27 +0200
+
exactimage (0.8.9-7) unstable; urgency=medium
* debian/rules:
diff -Nru exactimage-0.8.9/debian/patches/CVE-2015-3885.patch exactimage-0.8.9/debian/patches/CVE-2015-3885.patch
--- exactimage-0.8.9/debian/patches/CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/CVE-2015-3885.patch 2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Avoid overflow in ljpeg_start().
+Author: Anders Brander <anders@brander.dk>
+Origin: backport, https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index b115191c2f8f049e8ad933e0f83de52568413ec2..2f24f0f73744520a87cf6dc2eeb7dea84e83a563 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -775,7 +775,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
diff -Nru exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch
--- exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ exactimage-0.8.9/debian/patches/draw_jpeg_fix.patch 2015-05-25 19:23:02.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix execution order of ljpeg_start() and result check
+Author: René Rebe <rene@exactcode.de>
+
+---
+diff --git a/codecs/dcraw.h b/codecs/dcraw.h
+index 2f24f0f73744520a87cf6dc2eeb7dea84e83a563..5584fef46c9759776475683a17d252b723a58ee5 100644
+--- a/codecs/dcraw.h
++++ b/codecs/dcraw.h
+@@ -893,12 +893,12 @@ void CLASS lossless_jpeg_load_raw()
+ struct jhead jh;
+ ushort *rp;
+
+- if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
+- longjmp (failure, 2);
+-
+ if (!ljpeg_start (&jh, 0)) return;
+ jwide = jh.wide * jh.clrs;
+
++ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++ longjmp (failure, 2);
++
+ for (jrow=0; jrow < jh.high; jrow++) {
+ rp = ljpeg_row (jrow, &jh);
+ if (load_flags & 1)
diff -Nru exactimage-0.8.9/debian/patches/series exactimage-0.8.9/debian/patches/series
--- exactimage-0.8.9/debian/patches/series 2014-08-30 15:47:09.000000000 +0200
+++ exactimage-0.8.9/debian/patches/series 2015-05-25 19:23:02.000000000 +0200
@@ -13,3 +13,5 @@
libgif.patch
ftbfs_evas_object.patch
perl_vendor_dir.patch
+CVE-2015-3885.patch
+draw_jpeg_fix.patch
Reply to: