[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#787403: marked as done (wheezy-pu: package libraw/0.14.6-2+deb7u1)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #787403,
regarding wheezy-pu: package libraw/0.14.6-2+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
787403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787403
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to upload a new version of libraw to oldstable/wheezy.

LibRaw package in wheezy is 0.14.6-2 at the moment and it's affected by the
security issue stated in CVE-2015-3885[1], as reported in #786788.

Debian Security Team marked the issue as "no-DSA"[2], so no need to go
through the Debian Security procedures but a simple proposed-update via the
Debian Release Team.

This same issue has been already fixed in unstable and testing with 0.16.2-1
revision upload and the p-u 0.16.0.9+deb8u1 on jessie (already accepted for
next point release).

Cherry-picking and adapting the fixing git commit used in RedHat[3], I've
prepared a new libraw 0.14.6-2+deb7u1 package bundling the patch.

Attached, you'll find a debdiff for it.

Thanks for considering.


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
[2] https://security-tracker.debian.org/tracker/CVE-2015-3885
[3] https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff


-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Matteo F. Vescovi || Debian Developer
GnuPG KeyID: 4096R/0x8062398983B2CF7A

diff -Nru libraw-0.14.6/debian/changelog libraw-0.14.6/debian/changelog
--- libraw-0.14.6/debian/changelog	2012-05-27 12:17:21.000000000 +0200
+++ libraw-0.14.6/debian/changelog	2015-05-28 14:15:32.000000000 +0200
@@ -1,3 +1,15 @@
+libraw (0.14.6-2+deb7u1) wheezy; urgency=high
+
+  * debian/patches/: patchset updated
+    - 0001-Fix_CVE-2015-3885.patch added (Closes: #786788)
+      | Integer overflow in the ljpeg_start function
+      | in dcraw 7.00 and earlier allows remote attackers
+      | to cause a denial of service (crash) via a
+      | crafted image, which triggers a buffer overflow,
+      | related to the len variable.
+
+ -- Matteo F. Vescovi <mfv@debian.org>  Thu, 28 May 2015 14:15:10 +0200
+
 libraw (0.14.6-2) unstable; urgency=low
 
   * Team upload.
diff -Nru libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
--- libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch	2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1,46 @@
+From: Nils Philippsen <nils@redhat.com>
+Date: Wed, 27 May 2015 21:28:03 +0200
+Subject: Fix_CVE-2015-3885
+
+Avoid overflowing array
+
+When reading raw image files containing lossless JPEG data, headers could be
+manipulated to make the signed int variable 'len' negative which specifies
+how much actual data follows. Interpreted as unsigned, this could lead to
+reading file data past the 64k boundary of the array used for storing it.
+To avoid that, make 'len' unsigned short, and bail out early if its value
+would become invalid (i.e. <= 0).
+
+Signed-off-by: Matteo F. Vescovi <mfv@debian.org>
+
+Git-Dch: Short
+---
+ dcraw/dcraw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 9985f41..14ee66a 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -787,7 +787,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -798,8 +799,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
diff -Nru libraw-0.14.6/debian/patches/series libraw-0.14.6/debian/patches/series
--- libraw-0.14.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/series	2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_CVE-2015-3885.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: