Bug#788241: jessie-pu: package rawtherapee/4.2-1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
rawtherapee is affected by the security issue CVE-2015-3885[1]. It's marked no-
das that's why I want to coordinate the update with you.
I attached the debdiff.
Best,
Philip
[1]https://security-tracker.debian.org/tracker/CVE-2015-3885
diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog
--- rawtherapee-4.2/debian/changelog 2014-10-26 14:00:08.000000000 +0100
+++ rawtherapee-4.2/debian/changelog 2015-05-16 19:09:19.000000000 +0200
@@ -1,3 +1,10 @@
+rawtherapee (4.2-1+deb8u1) jessie-security; urgency=high
+
+ * Add patch debian/patches/02-fix_CVE-2015-3885.patch:
+ - Fix dcraw imput sanitization errors (CVE-2015-3885)
+
+ -- Philip Rinn <rinni@inventati.org> Thu, 16 May 2015 19:09:23 +0200
+
rawtherapee (4.2-1) unstable; urgency=medium
* New upstream release:
diff -Nru rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch
--- rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ rawtherapee-4.2/debian/patches/02-fix_CVE-2015-3885.patch 2015-05-14 17:41:45.000000000 +0200
@@ -0,0 +1,28 @@
+Author: Philip Rinn <rinni@inventati.org>
+Description: Fix CVE-2015-3885
+Source: https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+Last-update: 2015-05-14
+--- a/rtengine/dcraw.c
++++ b/rtengine/dcraw.c
+@@ -824,7 +824,8 @@
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+--- a/rtengine/dcraw.cc
++++ b/rtengine/dcraw.cc
+@@ -787,7 +787,8 @@
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
diff -Nru rawtherapee-4.2/debian/patches/series rawtherapee-4.2/debian/patches/series
--- rawtherapee-4.2/debian/patches/series 2014-10-26 13:55:22.000000000 +0100
+++ rawtherapee-4.2/debian/patches/series 2015-05-14 17:30:07.000000000 +0200
@@ -1 +1,2 @@
01-fix_build_race-condition.patch
+02-fix_CVE-2015-3885.patch
Reply to: