[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#809258: jessie-pu: package libraw/0.16.0-9+deb8u2

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to upload a new version of libraw to stable/jessie.

LibRaw package version in jessie is 0.16.0-9+deb8u1 at the moment and
it's now affected by the security issues stated in CVE-2015-8366[0] and
CVE-2015-8367[1], as reported in #806809 (reporting the problem against
the version in unstable/sid).

Upstream has already fixed the problem in 0.17.1 version and released it
on November 24th.

Debian Security Team marked the issues as "no-DSA"[2], so no need to go
through the Debian Security procedures but a simple proposed-update via
the Debian Release Team.

Cherry-picking the fixing git commit[3], I've prepared a new libraw
0.16.0-9+deb8u2 package bundling the new patch.

Attached, you'll find a debdiff for it.

Thanks for considering.


[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
[2] https://security-tracker.debian.org/tracker/source-package/libraw
[3] https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2


-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Matteo F. Vescovi || Debian Developer
GnuPG KeyID: 4096R/0x8062398983B2CF7A

diff -Nru libraw-0.16.0/debian/changelog libraw-0.16.0/debian/changelog
--- libraw-0.16.0/debian/changelog	2015-05-27 14:10:09.000000000 +0200
+++ libraw-0.16.0/debian/changelog	2015-12-28 20:26:32.000000000 +0100
@@ -1,3 +1,12 @@
+libraw (0.16.0-9+deb8u2) stable; urgency=high
+
+  * debian/patches/: patchset updated
+    - 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added
+      | CVE-2015-8366: Index overflow in smal_decode_segment
+      | CVE-2015-8367: Memory objects are not intialized properly
+
+ -- Matteo F. Vescovi <mfvescovi@gmail.com>  Sat, 12 Dec 2015 21:55:04 +0100
+
 libraw (0.16.0-9+deb8u1) stable; urgency=high
 
   * debian/patches/: patchset updated
diff -Nru libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch
--- libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch	2015-12-12 21:51:33.000000000 +0100
@@ -0,0 +1,70 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 12 Dec 2015 21:51:27 +0100
+Subject: Fix_CVE-2015-8366_CVE-2015-8367
+
+---
+ dcraw/dcraw.c             | 4 ++++
+ internal/dcraw_common.cpp | 4 ++++
+ src/libraw_cxx.cpp        | 5 +++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 4f72aee..7ff8fe7 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -2559,6 +2559,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
+       diff = diff ? -diff : 0x80;
+     if (ftell(ifp) + 12 >= seg[1][1])
+       diff = 0;
++#ifdef LIBRAW_LIBRARY_BUILD
++    if(pix>=raw_width*raw_height)
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+     raw_image[pix] = pred[pix & 1] += diff;
+     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index ac55074..1e423fe 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -2816,6 +2816,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes)
+       diff = diff ? -diff : 0x80;
+     if (ftell(ifp) + 12 >= seg[1][1])
+       diff = 0;
++#ifdef LIBRAW_LIBRARY_BUILD
++    if(pix>=raw_width*raw_height)
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+     raw_image[pix] = pred[pix & 1] += diff;
+     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 433323b..7d61d81 100644
+--- a/src/libraw_cxx.cpp
++++ b/src/libraw_cxx.cpp
+@@ -1246,6 +1246,7 @@ int LibRaw::unpack(void)
+     if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) //RawSpeed failed!
+       {
+         // Not allocated on RawSpeed call, try call LibRaw
++        int zero_rawimage = 0;
+         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)
+           {
+             // x3f foveon decoder
+@@ -1268,6 +1269,8 @@ int LibRaw::unpack(void)
+             // allocate image as temporary buffer, size 
+             imgdata.rawdata.raw_alloc = 0;
+             imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
++            imgdata.rawdata.raw_image = (ushort*) imgdata.image ;
++            zero_rawimage = 1;
+           }
+         ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET);
+             
+@@ -1275,6 +1278,8 @@ int LibRaw::unpack(void)
+         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
+           C.maximum=65535;
+         (this->*load_raw)();
++        if(zero_rawimage)
++          imgdata.rawdata.raw_image = 0;
+         if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon"))
+           C.maximum = m_save;
+         if(decoder_info.decoder_flags &  LIBRAW_DECODER_OWNALLOC)
diff -Nru libraw-0.16.0/debian/patches/series libraw-0.16.0/debian/patches/series
--- libraw-0.16.0/debian/patches/series	2015-05-27 14:10:09.000000000 +0200
+++ libraw-0.16.0/debian/patches/series	2015-12-12 21:51:33.000000000 +0100
@@ -1 +1,2 @@
 0001-Fix_CVE-2015-3885.patch
+0002-Fix_CVE-2015-8366_CVE-2015-8367.patch

Attachment: signature.asc
Description: PGP signature

Reply to: