Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Dear Release Team, I'd like to upload a new version of libraw to stable/jessie. LibRaw package in jessie is 0.16.0-9 at the moment and it's affected by the security issue stated in CVE-2015-3885[1], as reported in #786788 (also affecting wheezy and I'll prepare a wheezy pu for that too). Upstream already fixed the problem in 0.16.1 version and released it on May 11th; after that, another minor release has been made (namely, 0.16.2 released on May 16th) and I've used the latter to fix the security hole in unstable and testing, eventually. Debian Security Team marked the issue as "no-DSA"[3], so no need to go through the Debian Security procedures but a simple proposed-update via the Debian Release Team. Cherry-picking and adapting the fixing git commit[2], I've prepared a new libraw 0.16.0-9+deb8u1 package bundling the new patch. Attached, you'll find a debdiff for it. Thanks for considering. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885 [2] https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5 [3] https://security-tracker.debian.org/tracker/CVE-2015-3885 -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7A
diff -Nru libraw-0.16.0/debian/changelog libraw-0.16.0/debian/changelog
--- libraw-0.16.0/debian/changelog 2015-05-26 18:31:17.000000000 +0200
+++ libraw-0.16.0/debian/changelog 2015-05-27 14:10:09.000000000 +0200
@@ -1,3 +1,15 @@
+libraw (0.16.0-9+deb8u1) stable; urgency=high
+
+ * debian/patches/: patchset updated
+ - 0001-Fix_CVE-2015-3885.patch added
+ | Integer overflow in the ljpeg_start function
+ | in dcraw 7.00 and earlier allows remote attackers
+ | to cause a denial of service (crash) via a
+ | crafted image, which triggers a buffer overflow,
+ | related to the len variable.
+
+ -- Matteo F. Vescovi <mfvescovi@gmail.com> Tue, 26 May 2015 18:09:20 +0200
+
libraw (0.16.0-9) unstable; urgency=medium
* debian/control: strictly build-depends on libjpeg-dev.
diff -Nru libraw-0.16.0/debian/patches/0001-Fix_CVE-2015-3885.patch libraw-0.16.0/debian/patches/0001-Fix_CVE-2015-3885.patch
--- libraw-0.16.0/debian/patches/0001-Fix_CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.16.0/debian/patches/0001-Fix_CVE-2015-3885.patch 2015-05-27 14:10:09.000000000 +0200
@@ -0,0 +1,169 @@
+From: "Matteo F. Vescovi" <mfv@debian.org>
+Date: Tue, 26 May 2015 14:04:20 +0200
+Subject: Fix_CVE-2015-3885
+
+"Input sanitization flaw leading to buffer overflow"
+
+Signed-off-by: Matteo F. Vescovi <mfv@debian.org>
+---
+ dcraw/dcraw.c | 3 ++-
+ internal/dcraw_common.cpp | 15 ++++++++++++++-
+ internal/dcraw_fileio.cpp | 4 ++++
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 9e621ed..4f72aee 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -768,7 +768,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index d01185d..ac55074 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -21,6 +21,7 @@ it under the terms of the one of three licenses as you choose:
+ for more information
+ */
+
++#line 261 "dcraw/dcraw.c"
+ #include <math.h>
+ #define CLASS LibRaw::
+ #include "libraw/libraw_types.h"
+@@ -29,6 +30,7 @@ it under the terms of the one of three licenses as you choose:
+ #include "libraw/libraw.h"
+ #include "internal/defines.h"
+ #include "internal/var_defines.h"
++#line 272 "dcraw/dcraw.c"
+ int CLASS fcol (int row, int col)
+ {
+ static const char filter[16][16] =
+@@ -75,6 +77,7 @@ char *my_strcasestr (char *haystack, const char *needle)
+ }
+ #define strcasestr my_strcasestr
+ #endif
++#line 340 "dcraw/dcraw.c"
+ ushort CLASS sget2 (uchar *s)
+ {
+ if (order == 0x4949) /* "II" means little-endian */
+@@ -564,10 +567,12 @@ void CLASS canon_load_raw()
+ #endif
+ FORC(2) free (huff[c]);
+ }
++#line 841 "dcraw/dcraw.c"
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+@@ -1153,6 +1158,7 @@ int CLASS minolta_z2()
+ if (tail[i]) nz++;
+ return nz > 20;
+ }
++#line 1436 "dcraw/dcraw.c"
+ void CLASS ppm_thumb()
+ {
+ char *thumb;
+@@ -2976,6 +2982,7 @@ void CLASS redcine_load_raw()
+ #endif
+ #endif
+ }
++#line 3983 "dcraw/dcraw.c"
+ void CLASS crop_masked_pixels()
+ {
+ int row, col;
+@@ -3081,6 +3088,7 @@ void CLASS remove_zeroes()
+ RUN_CALLBACK(LIBRAW_PROGRESS_REMOVE_ZEROES,1,2);
+ #endif
+ }
++#line 4254 "dcraw/dcraw.c"
+ void CLASS gamma_curve (double pwr, double ts, int mode, int imax)
+ {
+ int i;
+@@ -4790,6 +4798,7 @@ void CLASS parse_thumb_note (int base, unsigned toff, unsigned tlen)
+ fseek (ifp, save, SEEK_SET);
+ }
+ }
++#line 5968 "dcraw/dcraw.c"
+ void CLASS parse_makernote (int base, int uptag)
+ {
+ static const uchar xlat[2][256] = {
+@@ -5349,6 +5358,7 @@ void CLASS parse_kodak_ifd (int base)
+ fseek (ifp, save, SEEK_SET);
+ }
+ }
++#line 6533 "dcraw/dcraw.c"
+ int CLASS parse_tiff_ifd (int base)
+ {
+ unsigned entries, tag, type, len, plen=16, save;
+@@ -6644,6 +6654,7 @@ void CLASS parse_redcine()
+ data_offset = get4();
+ }
+ }
++#line 7936 "dcraw/dcraw.c"
+
+ /*
+ All matrices are from Adobe DNG Converter unless otherwise noted.
+@@ -8919,6 +8930,7 @@ notraw:
+ }
+
+
++#line 10303 "dcraw/dcraw.c"
+ void CLASS convert_to_rgb()
+ {
+ #ifndef LIBRAW_LIBRARY_BUILD
+@@ -9149,6 +9161,7 @@ int CLASS flip_index (int row, int col)
+ if (flip & 1) col = iwidth - 1 - col;
+ return row * iwidth + col;
+ }
++#line 10559 "dcraw/dcraw.c"
+ void CLASS tiff_set (ushort *ntag,
+ ushort tag, ushort type, int count, int val)
+ {
+diff --git a/internal/dcraw_fileio.cpp b/internal/dcraw_fileio.cpp
+index 874cd1b..06933de 100644
+--- a/internal/dcraw_fileio.cpp
++++ b/internal/dcraw_fileio.cpp
+@@ -21,6 +21,7 @@ it under the terms of the one of three licenses as you choose:
+ for more information
+ */
+
++#line 4091 "dcraw/dcraw.c"
+ #include <math.h>
+ #define CLASS LibRaw::
+ #include "libraw/libraw_types.h"
+@@ -28,6 +29,7 @@ it under the terms of the one of three licenses as you choose:
+ #include "libraw/libraw.h"
+ #include "internal/defines.h"
+ #include "internal/var_defines.h"
++#line 4102 "dcraw/dcraw.c"
+ /*
+ Seach from the current directory up to the root looking for
+ a ".badpixels" file, and fix those pixels now.
+@@ -52,6 +54,7 @@ void CLASS bad_pixels (const char *cfname)
+ #endif
+ if (cfname)
+ fp = fopen (cfname, "r");
++#line 4152 "dcraw/dcraw.c"
+ if (!fp)
+ {
+ #ifdef LIBRAW_LIBRARY_BUILD
+@@ -151,6 +154,7 @@ void CLASS subtract (const char *fname)
+ RUN_CALLBACK(LIBRAW_PROGRESS_DARK_FRAME,1,2);
+ #endif
+ }
++#line 10214 "dcraw/dcraw.c"
+ #ifndef NO_LCMS
+ void CLASS apply_profile (const char *input, const char *output)
+ {
diff -Nru libraw-0.16.0/debian/patches/series libraw-0.16.0/debian/patches/series
--- libraw-0.16.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.16.0/debian/patches/series 2015-05-27 14:10:09.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_CVE-2015-3885.patch
Attachment:
signature.asc
Description: Digital signature