Your message dated Sat, 23 Jan 2016 13:57:15 +0000 with message-id <1453557435.1835.52.camel@adam-barratt.org.uk> and subject line 8.3 point release cleanup has caused the Debian Bug report #809258, regarding jessie-pu: package libraw/0.16.0-9+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 809258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809258 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package libraw/0.16.0-9+deb8u2
- From: "Matteo F. Vescovi" <mfv@debian.org>
- Date: Mon, 28 Dec 2015 20:52:10 +0100
- Message-id: <20151228195210.GA16906@localhost>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Dear Release Team, I'd like to upload a new version of libraw to stable/jessie. LibRaw package version in jessie is 0.16.0-9+deb8u1 at the moment and it's now affected by the security issues stated in CVE-2015-8366[0] and CVE-2015-8367[1], as reported in #806809 (reporting the problem against the version in unstable/sid). Upstream has already fixed the problem in 0.17.1 version and released it on November 24th. Debian Security Team marked the issues as "no-DSA"[2], so no need to go through the Debian Security procedures but a simple proposed-update via the Debian Release Team. Cherry-picking the fixing git commit[3], I've prepared a new libraw 0.16.0-9+deb8u2 package bundling the new patch. Attached, you'll find a debdiff for it. Thanks for considering. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367 [2] https://security-tracker.debian.org/tracker/source-package/libraw [3] https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7Adiff -Nru libraw-0.16.0/debian/changelog libraw-0.16.0/debian/changelog --- libraw-0.16.0/debian/changelog 2015-05-27 14:10:09.000000000 +0200 +++ libraw-0.16.0/debian/changelog 2015-12-28 20:26:32.000000000 +0100 @@ -1,3 +1,12 @@ +libraw (0.16.0-9+deb8u2) stable; urgency=high + + * debian/patches/: patchset updated + - 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added + | CVE-2015-8366: Index overflow in smal_decode_segment + | CVE-2015-8367: Memory objects are not intialized properly + + -- Matteo F. Vescovi <mfvescovi@gmail.com> Sat, 12 Dec 2015 21:55:04 +0100 + libraw (0.16.0-9+deb8u1) stable; urgency=high * debian/patches/: patchset updated diff -Nru libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch --- libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 2015-12-12 21:51:33.000000000 +0100 @@ -0,0 +1,70 @@ +From: Alex Tutubalin <lexa@lexa.ru> +Date: Sat, 12 Dec 2015 21:51:27 +0100 +Subject: Fix_CVE-2015-8366_CVE-2015-8367 + +--- + dcraw/dcraw.c | 4 ++++ + internal/dcraw_common.cpp | 4 ++++ + src/libraw_cxx.cpp | 5 +++++ + 3 files changed, 13 insertions(+) + +diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c +index 4f72aee..7ff8fe7 100644 +--- a/dcraw/dcraw.c ++++ b/dcraw/dcraw.c +@@ -2559,6 +2559,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes) + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; ++#ifdef LIBRAW_LIBRARY_BUILD ++ if(pix>=raw_width*raw_height) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } +diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp +index ac55074..1e423fe 100644 +--- a/internal/dcraw_common.cpp ++++ b/internal/dcraw_common.cpp +@@ -2816,6 +2816,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int holes) + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; ++#ifdef LIBRAW_LIBRARY_BUILD ++ if(pix>=raw_width*raw_height) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } +diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp +index 433323b..7d61d81 100644 +--- a/src/libraw_cxx.cpp ++++ b/src/libraw_cxx.cpp +@@ -1246,6 +1246,7 @@ int LibRaw::unpack(void) + if(!imgdata.rawdata.raw_image && !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image) //RawSpeed failed! + { + // Not allocated on RawSpeed call, try call LibRaw ++ int zero_rawimage = 0; + if(decoder_info.decoder_flags & LIBRAW_DECODER_OWNALLOC) + { + // x3f foveon decoder +@@ -1268,6 +1269,8 @@ int LibRaw::unpack(void) + // allocate image as temporary buffer, size + imgdata.rawdata.raw_alloc = 0; + imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image)); ++ imgdata.rawdata.raw_image = (ushort*) imgdata.image ; ++ zero_rawimage = 1; + } + ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET); + +@@ -1275,6 +1278,8 @@ int LibRaw::unpack(void) + if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon")) + C.maximum=65535; + (this->*load_raw)(); ++ if(zero_rawimage) ++ imgdata.rawdata.raw_image = 0; + if(load_raw == &LibRaw::unpacked_load_raw && !strcasecmp(imgdata.idata.make,"Nikon")) + C.maximum = m_save; + if(decoder_info.decoder_flags & LIBRAW_DECODER_OWNALLOC) diff -Nru libraw-0.16.0/debian/patches/series libraw-0.16.0/debian/patches/series --- libraw-0.16.0/debian/patches/series 2015-05-27 14:10:09.000000000 +0200 +++ libraw-0.16.0/debian/patches/series 2015-12-12 21:51:33.000000000 +0100 @@ -1 +1,2 @@ 0001-Fix_CVE-2015-3885.patch +0002-Fix_CVE-2015-8366_CVE-2015-8367.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 783355-done@bugs.debian.org, 784944-done@bugs.debian.org, 787021-done@bugs.debian.org, 787423-done@bugs.debian.org, 791403-done@bugs.debian.org, 792468-done@bugs.debian.org, 792806-done@bugs.debian.org, 793556-done@bugs.debian.org, 794940-done@bugs.debian.org, 796281-done@bugs.debian.org, 797170-done@bugs.debian.org, 797710-done@bugs.debian.org, 798028-done@bugs.debian.org, 798584-done@bugs.debian.org, 798749-done@bugs.debian.org, 798889-done@bugs.debian.org, 798890-done@bugs.debian.org, 798891-done@bugs.debian.org, 798892-done@bugs.debian.org, 798893-done@bugs.debian.org, 798895-done@bugs.debian.org, 799033-done@bugs.debian.org, 799070-done@bugs.debian.org, 799229-done@bugs.debian.org, 799230-done@bugs.debian.org, 799369-done@bugs.debian.org, 799477-done@bugs.debian.org, 799758-done@bugs.debian.org, 799777-done@bugs.debian.org, 800006-done@bugs.debian.org, 800664-done@bugs.debian.org, 800793-done@bugs.debian.org, 800881-done@bugs.debian.org, 801095-done@bugs.debian.org, 801098-done@bugs.debian.org, 801100-done@bugs.debian.org, 801304-done@bugs.debian.org, 801318-done@bugs.debian.org, 801441-done@bugs.debian.org, 801580-done@bugs.debian.org, 801743-done@bugs.debian.org, 801851-done@bugs.debian.org, 801892-done@bugs.debian.org, 802851-done@bugs.debian.org, 802879-done@bugs.debian.org, 802900-done@bugs.debian.org, 802942-done@bugs.debian.org, 803362-done@bugs.debian.org, 803467-done@bugs.debian.org, 803490-done@bugs.debian.org, 803569-done@bugs.debian.org, 803678-done@bugs.debian.org, 803730-done@bugs.debian.org, 804157-done@bugs.debian.org, 804172-done@bugs.debian.org, 804208-done@bugs.debian.org, 804381-done@bugs.debian.org, 804383-done@bugs.debian.org, 804734-done@bugs.debian.org, 804885-done@bugs.debian.org, 805024-done@bugs.debian.org, 805127-done@bugs.debian.org, 805190-done@bugs.debian.org, 805214-done@bugs.debian.org, 805260-done@bugs.debian.org, 805293-done@bugs.debian.org, 805383-done@bugs.debian.org, 805634-done@bugs.debian.org, 805721-done@bugs.debian.org, 805894-done@bugs.debian.org, 806129-done@bugs.debian.org, 806165-done@bugs.debian.org, 806247-done@bugs.debian.org, 806252-done@bugs.debian.org, 806338-done@bugs.debian.org, 806529-done@bugs.debian.org, 806640-done@bugs.debian.org, 807129-done@bugs.debian.org, 807140-done@bugs.debian.org, 807142-done@bugs.debian.org, 807273-done@bugs.debian.org, 807280-done@bugs.debian.org, 807467-done@bugs.debian.org, 807489-done@bugs.debian.org, 807515-done@bugs.debian.org, 807576-done@bugs.debian.org, 807612-done@bugs.debian.org, 807828-done@bugs.debian.org, 807917-done@bugs.debian.org, 808559-done@bugs.debian.org, 808890-done@bugs.debian.org, 809200-done@bugs.debian.org, 809255-done@bugs.debian.org, 809258-done@bugs.debian.org, 809307-done@bugs.debian.org, 809534-done@bugs.debian.org, 809561-done@bugs.debian.org, 809688-done@bugs.debian.org, 809757-done@bugs.debian.org, 809824-done@bugs.debian.org, 810004-done@bugs.debian.org, 810111-done@bugs.debian.org, 810130-done@bugs.debian.org, 810542-done@bugs.debian.org, 810760-done@bugs.debian.org, 810887-done@bugs.debian.org, 811132-done@bugs.debian.org, 811320-done@bugs.debian.org, 792779-done@bugs.debian.org
- Subject: 8.3 point release cleanup
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 23 Jan 2016 13:57:15 +0000
- Message-id: <1453557435.1835.52.camel@adam-barratt.org.uk>
Version: 8.3 Hi, The updates referred to in these bugs were included in today's 8.3 Jessie point release. Regards, Adam
--- End Message ---