Bug#787692: release.debian.org: jessie-pu: package ufraw/0.20-2+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#787692: release.debian.org: jessie-pu: package ufraw/0.20-2+deb8u1
From: Hubert Chathi <uhoreg@debian.org>
Date: Wed, 03 Jun 2015 23:08:01 -0400
Message-id: <[🔎] 87h9qow4q6.fsf@desiato.home.uhoreg.ca>
Reply-to: Hubert Chathi <uhoreg@debian.org>, 787692@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I have fixed the security issue below for ufraw.  The security team has
marked the issue as no-dsa, but has suggested that it be fixed via
jessie-pu.

Here is an interdiff between the current jessie version and the updated
version:

diff -u ufraw-0.20/dcraw.cc ufraw-0.20/dcraw.cc
--- ufraw-0.20/dcraw.cc
+++ ufraw-0.20/dcraw.cc
@@ -934,8 +934,7 @@
 
 int CLASS ljpeg_start (struct jhead *jh, int info_only)
 {
-  int c, tag;
-  ushort len;
+  int c, tag, len;
   uchar data[0x10000];
   const uchar *dp;
 
@@ -946,9 +945,8 @@
   do {
     fread (data, 2, 2, ifp);
     tag =  data[0] << 8 | data[1];
-    len = (data[2] << 8 | data[3]);
-    if (tag <= 0xff00 || len <= 2) return 0;
-    len -= 2;
+    len = (data[2] << 8 | data[3]) - 2;
+    if (tag <= 0xff00) return 0;
     fread (data, 1, len, ifp);
     switch (tag) {
       case 0xffc3:
diff -u ufraw-0.20/debian/changelog ufraw-0.20/debian/changelog
--- ufraw-0.20/debian/changelog
+++ ufraw-0.20/debian/changelog
@@ -1,11 +1,3 @@
-ufraw (0.20-2+deb8u1) jessie-security; urgency=high
-
-  * dcraw.cc: Apply patch from
-    https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff to
-    prevent buffer overflow in ljpeg_start (Closes: #786783, CVE-2015-3885)
-
- -- Hubert Chathi <uhoreg@debian.org>  Tue, 26 May 2015 14:44:00 -0400
-
 ufraw (0.20-2) unstable; urgency=low
 
   * ufraw-gimp.c: Apply upstream patch: Only use


On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <carnil@debian.org> said:

> the following vulnerability was published for ufraw.

> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.


-- System Information:
Debian Release: 7.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply to:

Follow-Ups:
- Bug#787692: release.debian.org: jessie-pu: package ufraw/0.20-2+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#787692: release.debian.org: jessie-pu: package ufraw/0.20-2+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Block the transition
Next by thread: Bug#787692: release.debian.org: jessie-pu: package ufraw/0.20-2+deb8u1
Index(es):
- Date
- Thread