Re: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow

To: debian-release@lists.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>, 786783@bugs.debian.org
Subject: Re: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
From: Hubert Chathi <uhoreg@debian.org>
Date: Wed, 03 Jun 2015 12:00:51 -0400
Message-id: <[🔎] 87h9qoye6k.fsf@desiato.home.uhoreg.ca>
In-reply-to: <20150525144000.12655.81672.reportbug@eldamar.local> (Salvatore Bonaccorso's message of "Mon, 25 May 2015 16:40:00 +0200")
References: <20150525144000.12655.81672.reportbug@eldamar.local>

Dear Stable Release Managers,

I have fixed the security issue below for ufraw.  The security team has
marked the issue as no-dsa, but has suggested that it be fixed via
jessie-pu.  Please let us know whether this update will be allowed.  (I
understand that we'll miss the point release this Saturday.)

Here is an interdiff between the current jessie version and the updated
version:

diff -u ufraw-0.20/dcraw.cc ufraw-0.20/dcraw.cc
--- ufraw-0.20/dcraw.cc
+++ ufraw-0.20/dcraw.cc
@@ -934,8 +934,7 @@
 
 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag;
-  ushort len;
+  int c, tag, len;
   uchar data[0x10000];
   const uchar *dp;
 
@@ -946,9 +945,8 @@
   do {
     fread (data, 2, 2, ifp);
     tag =  data[0] << 8 | data[1];
-    len = (data[2] << 8 | data[3]);
-    if (tag <= 0xff00 || len <= 2) return 0;
-    len -= 2;
+    len = (data[2] << 8 | data[3]) - 2;
+    if (tag <= 0xff00) return 0;
     fread (data, 1, len, ifp);
     switch (tag) {
       case 0xffc3:
diff -u ufraw-0.20/debian/changelog ufraw-0.20/debian/changelog
--- ufraw-0.20/debian/changelog
+++ ufraw-0.20/debian/changelog
@@ -1,11 +1,3 @@
-ufraw (0.20-2+deb8u1) jessie-security; urgency=high
-
-  * dcraw.cc: Apply patch from
-    https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff to
-    prevent buffer overflow in ljpeg_start (Closes: #786783, CVE-2015-3885)
-
- -- Hubert Chathi <uhoreg@debian.org>  Tue, 26 May 2015 14:44:00 -0400
-
 ufraw (0.20-2) unstable; urgency=low
 
   * ufraw-gimp.c: Apply upstream patch: Only use


On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <carnil@debian.org> said:

> the following vulnerability was published for ufraw.

> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.

-- 
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA         http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA

Reply to:

Follow-Ups:
- Re: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#787636: jessie-pu: package postgresql-9.4/9.4.3-0+deb8u1
Next by Date: Re: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Previous by thread: Processed: Re: Bug#787636: jessie-pu: package postgresql-9.1/9.1.18-0+deb8u1
Next by thread: Re: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Index(es):
- Date
- Thread