Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Dear Release Team, I'd like to upload a new version of libraw to stable/jessie. LibRaw package version in jessie is 0.16.0-9+deb8u1 at the moment and it's now affected by the security issues stated in CVE-2015-8366[0] and CVE-2015-8367[1], as reported in #806809 (reporting the problem against the version in unstable/sid). Upstream has already fixed the problem in 0.17.1 version and released it on November 24th. Debian Security Team marked the issues as "no-DSA"[2], so no need to go through the Debian Security procedures but a simple proposed-update via the Debian Release Team. Cherry-picking the fixing git commit[3], I've prepared a new libraw 0.16.0-9+deb8u2 package bundling the new patch. Attached, you'll find a debdiff for it. Thanks for considering. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367 [2] https://security-tracker.debian.org/tracker/source-package/libraw [3] https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7A
diff -Nru libraw-0.16.0/debian/changelog libraw-0.16.0/debian/changelog --- libraw-0.16.0/debian/changelog 2015-05-27 14:10:09.000000000 +0200 +++ libraw-0.16.0/debian/changelog 2015-12-28 20:26:32.000000000 +0100 @@ -1,3 +1,12 @@ +libraw (0.16.0-9+deb8u2) stable; urgency=high + + * debian/patches/: patchset updated + - 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added + | CVE-2015-8366: Index overflow in smal_decode_segment + | CVE-2015-8367: Memory objects are not intialized properly + + -- Matteo F. Vescovi <mfvescovi@gmail.com> Sat, 12 Dec 2015 21:55:04 +0100 + libraw (0.16.0-9+deb8u1) stable; urgency=high * debian/patches/: patchset updated diff -Nru libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch --- libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 2015-12-12 21:51:33.000000000 +0100 @@ -0,0 +1,70 @@ +From: Alex Tutubalin <lexa@lexa.ru> +Date: Sat, 12 Dec 2015 21:51:27 +0100 +Subject: Fix_CVE-2015-8366_CVE-2015-8367 + +--- + dcraw/dcraw.c | 4 ++++ + internal/dcraw_common.cpp | 4 ++++ + src/libraw_cxx.cpp | 5 +++++ + 3 files changed, 13 insertions(+) + +diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c +index 4f72aee..7ff8fe7 100644 +--- a/dcraw/dcraw.c ++++ b/dcraw/dcraw.c +@@ -2559,6 +2559,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes) + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; ++#ifdef LIBRAW_LIBRARY_BUILD ++ if(pix>=raw_width*raw_height) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } +diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp +index ac55074..1e423fe 100644 +--- a/internal/dcraw_common.cpp ++++ b/internal/dcraw_common.cpp +@@ -2816,6 +2816,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes) + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; ++#ifdef LIBRAW_LIBRARY_BUILD ++ if(pix>=raw_width*raw_height) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } +diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp +index 433323b..7d61d81 100644 +--- a/src/libraw_cxx.cpp ++++ b/src/libraw_cxx.cpp +@@ -1246,6 +1246,7 @@ int LibRaw::unpack(void) + if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) //RawSpeed failed! + { + // Not allocated on RawSpeed call, try call LibRaw ++ int zero_rawimage = 0; + if(decoder_info.decoder_flags & LIBRAW_DECODER_OWNALLOC) + { + // x3f foveon decoder +@@ -1268,6 +1269,8 @@ int LibRaw::unpack(void) + // allocate image as temporary buffer, size + imgdata.rawdata.raw_alloc = 0; + imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image)); ++ imgdata.rawdata.raw_image = (ushort*) imgdata.image ; ++ zero_rawimage = 1; + } + ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET); + +@@ -1275,6 +1278,8 @@ int LibRaw::unpack(void) + if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon")) + C.maximum=65535; + (this->*load_raw)(); ++ if(zero_rawimage) ++ imgdata.rawdata.raw_image = 0; + if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon")) + C.maximum = m_save; + if(decoder_info.decoder_flags & LIBRAW_DECODER_OWNALLOC) diff -Nru libraw-0.16.0/debian/patches/series libraw-0.16.0/debian/patches/series --- libraw-0.16.0/debian/patches/series 2015-05-27 14:10:09.000000000 +0200 +++ libraw-0.16.0/debian/patches/series 2015-12-12 21:51:33.000000000 +0100 @@ -1 +1,2 @@ 0001-Fix_CVE-2015-3885.patch +0002-Fix_CVE-2015-8366_CVE-2015-8367.patch
Attachment:
signature.asc
Description: PGP signature