Sorry, I didn't attach the debdiff, it was only a 'git diff ...' Now I attached the real debdiff. Best, Philip
diff -Nru rawtherapee-4.2/debian/changelog rawtherapee-4.2/debian/changelog --- rawtherapee-4.2/debian/changelog 2015-06-09 20:45:39.000000000 +0200 +++ rawtherapee-4.2/debian/changelog 2016-10-06 12:36:00.000000000 +0200 @@ -1,3 +1,10 @@ +rawtherapee (4.2-1+deb8u2) jessie; urgency=high + + * Add patch debian/patches/03-fix-overflow-in-dcraw.patch: + - Fix buffer overflow in dcraw (CVE-2015-8366) + + -- Philip Rinn <rinni@inventati.org> Thu, 06 Oct 2016 12:36:00 +0200 + rawtherapee (4.2-1+deb8u1) jessie; urgency=high * Add patch debian/patches/02-fix_CVE-2015-3885.patch: diff -Nru rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch --- rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch 1970-01-01 01:00:00.000000000 +0100 +++ rawtherapee-4.2/debian/patches/03-fix-overflow-in-dcraw.patch 2016-10-06 12:35:26.000000000 +0200 @@ -0,0 +1,18 @@ +Author: Hubert Chathi <uhoreg@debian.org> +Description: Fix buffer overflow in dcraw (CVE-2015-8366) +Origin: https://vcs.uhoreg.ca/git/cgit/debpkg-ufraw/commit/?id=54688b5896b39003becdfee3c803c58c94f14df3 +Last-update: 2016-10-06 +--- a/rtengine/dcraw.cc ++++ b/rtengine/dcraw.cc +@@ -3221,7 +3221,10 @@ + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; +- raw_image[pix] = pred[pix & 1] += diff; ++ if(pix>=raw_width*raw_height) ++ derror(); ++ else ++ raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } + maximum = 0xff; diff -Nru rawtherapee-4.2/debian/patches/series rawtherapee-4.2/debian/patches/series --- rawtherapee-4.2/debian/patches/series 2015-05-14 17:30:07.000000000 +0200 +++ rawtherapee-4.2/debian/patches/series 2016-10-06 12:35:47.000000000 +0200 @@ -1,2 +1,3 @@ 01-fix_build_race-condition.patch 02-fix_CVE-2015-3885.patch +03-fix-overflow-in-dcraw.patch
Attachment:
signature.asc
Description: OpenPGP digital signature