Bug#788242: wheezy-pu: package rawtherapee/4.0.9-4
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
rawtherapee is affected by the security issue CVE-2015-3885. It's marked no-dsa
that's why I want to coordinate the update with you.
I attached the debdiff.
Best,
Philip
diff -Nru rawtherapee-4.0.9/debian/changelog rawtherapee-4.0.9/debian/changelog
--- rawtherapee-4.0.9/debian/changelog 2012-11-19 21:11:56.000000000 +0100
+++ rawtherapee-4.0.9/debian/changelog 2015-05-16 19:12:58.000000000 +0200
@@ -1,3 +1,10 @@
+rawtherapee (4.0.9-4+deb7u1) wheezy-security; urgency=high
+
+ * Add patch debian/patches/04-fix_CVE-2015-3885.patch:
+ - Fix dcraw imput sanitization errors (CVE-2015-3885)
+
+ -- Philip Rinn <rinni@inventati.org> Thu, 15 May 2015 19:12:20 +0200
+
rawtherapee (4.0.9-4) unstable; urgency=low
* Fix RC bug that corrupts EXIF data in some cases (closes: #693736):
diff -Nru rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch
--- rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch 1970-01-01 01:00:00.000000000 +0100
+++ rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch 2015-05-16 19:20:36.000000000 +0200
@@ -0,0 +1,24 @@
+--- a/rtengine/dcraw.c
++++ b/rtengine/dcraw.c
+@@ -787,7 +787,8 @@
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+--- a/rtengine/dcraw.cc
++++ b/rtengine/dcraw.cc
+@@ -798,7 +798,8 @@
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
diff -Nru rawtherapee-4.0.9/debian/patches/series rawtherapee-4.0.9/debian/patches/series
--- rawtherapee-4.0.9/debian/patches/series 2012-11-19 19:37:03.000000000 +0100
+++ rawtherapee-4.0.9/debian/patches/series 2015-05-14 18:06:49.000000000 +0200
@@ -1,3 +1,4 @@
01-AboutThisBuild.patch
02-fix_color_artifacts.patch
03-fix_exif_corruption.patch
+04-fix_CVE-2015-3885.patch
Reply to: