Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1
From: "Matteo F. Vescovi" <mfv@debian.org>
Date: Mon, 1 Jun 2015 10:09:31 +0200
Message-id: <[🔎] 20150601080931.GA2019@localhost>
Reply-to: "Matteo F. Vescovi" <mfv@debian.org>, 787403@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to upload a new version of libraw to oldstable/wheezy.

LibRaw package in wheezy is 0.14.6-2 at the moment and it's affected by the
security issue stated in CVE-2015-3885[1], as reported in #786788.

Debian Security Team marked the issue as "no-DSA"[2], so no need to go
through the Debian Security procedures but a simple proposed-update via the
Debian Release Team.

This same issue has been already fixed in unstable and testing with 0.16.2-1
revision upload and the p-u 0.16.0.9+deb8u1 on jessie (already accepted for
next point release).

Cherry-picking and adapting the fixing git commit used in RedHat[3], I've
prepared a new libraw 0.14.6-2+deb7u1 package bundling the patch.

Attached, you'll find a debdiff for it.

Thanks for considering.


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
[2] https://security-tracker.debian.org/tracker/CVE-2015-3885
[3] https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff


-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Matteo F. Vescovi || Debian Developer
GnuPG KeyID: 4096R/0x8062398983B2CF7A

diff -Nru libraw-0.14.6/debian/changelog libraw-0.14.6/debian/changelog
--- libraw-0.14.6/debian/changelog	2012-05-27 12:17:21.000000000 +0200
+++ libraw-0.14.6/debian/changelog	2015-05-28 14:15:32.000000000 +0200
@@ -1,3 +1,15 @@
+libraw (0.14.6-2+deb7u1) wheezy; urgency=high
+
+  * debian/patches/: patchset updated
+    - 0001-Fix_CVE-2015-3885.patch added (Closes: #786788)
+      | Integer overflow in the ljpeg_start function
+      | in dcraw 7.00 and earlier allows remote attackers
+      | to cause a denial of service (crash) via a
+      | crafted image, which triggers a buffer overflow,
+      | related to the len variable.
+
+ -- Matteo F. Vescovi <mfv@debian.org>  Thu, 28 May 2015 14:15:10 +0200
+
 libraw (0.14.6-2) unstable; urgency=low
 
   * Team upload.
diff -Nru libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
--- libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch	2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1,46 @@
+From: Nils Philippsen <nils@redhat.com>
+Date: Wed, 27 May 2015 21:28:03 +0200
+Subject: Fix_CVE-2015-3885
+
+Avoid overflowing array
+
+When reading raw image files containing lossless JPEG data, headers could be
+manipulated to make the signed int variable 'len' negative which specifies
+how much actual data follows. Interpreted as unsigned, this could lead to
+reading file data past the 64k boundary of the array used for storing it.
+To avoid that, make 'len' unsigned short, and bail out early if its value
+would become invalid (i.e. <= 0).
+
+Signed-off-by: Matteo F. Vescovi <mfv@debian.org>
+
+Git-Dch: Short
+---
+ dcraw/dcraw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 9985f41..14ee66a 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -787,7 +787,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -798,8 +799,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
diff -Nru libraw-0.14.6/debian/patches/series libraw-0.14.6/debian/patches/series
--- libraw-0.14.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/series	2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_CVE-2015-3885.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#787391: transition: evolution-data-server
Next by Date: Bug#787391: transition: evolution-data-server
Previous by thread: Re: Please copy tools/win32-loader/unstable to .../testing
Next by thread: Processed: Re: Bug#787403: wheezy-pu: package libraw/0.14.6-2+deb7u1
Index(es):
- Date
- Thread