[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106358: marked as done (bookworm-pu: package libraw/0.20.2-2.1+deb12u1)

Your message dated Thu, 29 May 2025 10:41:28 +0200
with message-id <aDgduJ-yql1SmwMg@debian.org>
and subject line Re: Bug#1106358: bookworm-pu: package libraw/0.20.2-2.1+deb12u1
has caused the Debian Bug report #1106358,
regarding bookworm-pu: package libraw/0.20.2-2.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106358
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libraw@packages.debian.org
Control: affects -1 + src:libraw
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Fix <no-dsa> security issues CVE-2025-4396[1-4].

[ Impact ]

User will remain vulnerable to the aforementioned issues.  Upgrading
users might regress as the issues are fixed in Bullseye LTS.

[ Tests ]

The package lacks automated tests but bound checks from the debdiff have
been tested.

[ Risks ]

Low risk: each patch come from upstream and trivially applies to 0.20.2-2.1.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser.
  * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related
    to large w0 or w1 values or the frac and mult calculations.
  * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row
    values are not checked in 0x041f tag processing.
  * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
    enforce minimum w0 and w1 values.
  * Add d/salsa-ci.yml for Salsa CI.

-- 
Guilhem.

diffstat for libraw-0.20.2 libraw-0.20.2

 changelog                          |   15 +++++
 patches/CVE-2025-43961_43962.patch |  107 +++++++++++++++++++++++++++++++++++++
 patches/CVE-2025-43963.patch       |   35 ++++++++++++
 patches/CVE-2025-43964.patch       |   24 ++++++++
 patches/series                     |    3 +
 salsa-ci.yml                       |    8 ++
 6 files changed, 192 insertions(+)

diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/changelog	2025-05-18 13:58:06.000000000 +0200
@@ -1,3 +1,18 @@
+libraw (0.20.2-2.1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser.
+    (Closes: #1103781)
+  * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related
+    to large w0 or w1 values or the frac and mult calculations.
+    (Closes: #1103781)
+  * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row
+    values are not checked in 0x041f tag processing. (Closes: #1103782)
+  * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
+    enforce minimum w0 and w1 values. (Closes: #1103783)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sun, 18 May 2025 13:58:06 +0200
+
 libraw (0.20.2-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,107 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+prevent OOB reads in phase_one_correct
+
+Origin: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43961
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43962
+Bug-Debian: https://bugs.debian.org/1103781
+---
+ src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
+ src/metadata/tiff.cpp         | 26 ++++++++++++++++----------
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c051..ded154c 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct()
+       fseek(ifp, off_412, SEEK_SET);
+       for (i = 0; i < 9; i++)
+         head[i] = get4() & 0x7fff;
++	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
++	  if (w0 > 10240000 || w1 > 10240000)
++		  throw LIBRAW_EXCEPTION_ALLOC;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct()
+             for (k = j = 0; j < head[1]; j++)
+               if (num < xval[0][k = head[1] * i + j])
+                 break;
+-            frac = (j == 0 || j == head[1])
+-                       ? 0
+-                       : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+-            mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
++			if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
++				frac = 0;
++			else
++			{
++				int xdiv = (xval[0][k] - xval[0][k - 1]);
++				frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
++			}
++			if (k < w0 + w1)
++				mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
++			else
++				mult[i - cip] = 0;
+           }
+           i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+           RAW(row, col) = LIM(i, 0, 65535);
+diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
+index cd2406d..09e976a 100644
+--- a/src/metadata/tiff.cpp
++++ b/src/metadata/tiff.cpp
+@@ -980,18 +980,21 @@ int LibRaw::parse_tiff_ifd(int base)
+               if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+                   (fwb[2] == rafdata[fi + 2]))
+               {
+-                if (rafdata[fi - 15] !=
++                if (fi > 14 && rafdata[fi - 15] !=
+                     fwb[0]) // 15 is offset of Tungsten WB from the first
+                             // preset, Fine Weather WB
+                   continue;
+-                for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+-                     wb_ind++, ofst += 3)
+-                {
+-                  icWBC[Fuji_wb_list1[wb_ind]][1] =
+-                      icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+-                  icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+-                  icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
+-                }
++				if (fi >= 15)
++				{
++					for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
++						wb_ind++, ofst += 3)
++					{
++						icWBC[Fuji_wb_list1[wb_ind]][1] =
++							icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
++						icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
++						icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++					}
++				}
+ 
+                 if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+                     (imFuji.RAFDataVersion == 0x0261) || // X100V
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                 fi += 96;
+                 for (fj = fi; fj < (fi + 15); fj += 3)
+                 {
++					if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
++						break;
+                   if (rafdata[fj] != rafdata[fi])
+                   {
+                     fj -= 93;
+@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                         (imFuji.RAFDataVersion == 0x0261) || // X100V
+                         (imFuji.RAFDataVersion == 0x0262))   // X-T4
+                       fj -= 9;
+-                    for (int iCCT = 0, ofst = fj; iCCT < 31;
++                    for (int iCCT = 0, ofst = fj; iCCT < 31
++						&& ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
+                          iCCT++, ofst += 3)
+                     {
+                       icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43963.patch libraw-0.20.2/debian/patches/CVE-2025-43963.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43963.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43963.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,35 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 6 Feb 2025 21:01:58 +0300
+Subject: check split_col/split_row values in phase_one_correct
+
+Origin: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-43963
+Bug-Debian: https://bugs.debian.org/1103782
+---
+ src/decoders/load_mfbacks.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index ded154c..f506e41 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct()
+           off_412 = ftell(ifp) - 38;
+         }
+       }
+-      else if (tag == 0x041f && !qlin_applied)
++      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++		&& ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant linearization */
+         ushort lc[2][2][16], ref[16];
+         int qr, qc;
+@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct()
+         }
+         qmult_applied = 1;
+       }
+-      else if (tag == 0x0431 && !qmult_applied)
++      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width 
++		&& ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant combined */
+         ushort lc[2][2][7], ref[7];
+         int qr, qc;
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43964.patch libraw-0.20.2/debian/patches/CVE-2025-43964.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43964.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43964.patch	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,24 @@
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sun, 2 Mar 2025 11:35:43 +0300
+Subject: additional checks in PhaseOne correction tag 0x412 processing
+
+Origin: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0
+Bug-Debian: https://security-tracker.debian.org/CVE-2025-43964
+Bug-Debian: https://bugs.debian.org/1103783
+---
+ src/decoders/load_mfbacks.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index f506e41..b85195f 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct()
+ 	  unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
+ 	  if (w0 > 10240000 || w1 > 10240000)
+ 		  throw LIBRAW_EXCEPTION_ALLOC;
++	  if (w0 < 1 || w1 < 1)
++		  throw LIBRAW_EXCEPTION_IO_CORRUPT;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/patches/series	2025-05-18 13:58:06.000000000 +0200
@@ -1,2 +1,5 @@
 check-for-input-buffer-size-on-datastream-gets.patch
 do-not-set-shrink-flag-for-3-4-component-images.patch
+CVE-2025-43961_43962.patch
+CVE-2025-43963.patch
+CVE-2025-43964.patch
diff -Nru libraw-0.20.2/debian/salsa-ci.yml libraw-0.20.2/debian/salsa-ci.yml
--- libraw-0.20.2/debian/salsa-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/salsa-ci.yml	2025-05-18 13:58:06.000000000 +0200
@@ -0,0 +1,8 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'bookworm'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Hi Salvatore,

On Thu, 29 May 2025 at 08:48:20 +0200, Salvatore Bonaccorso wrote:
> Loks there was overlapping work with Moritz here and Moritz did then
> already upload.

Oh, that's unfortunate.

> So I would say to close this bug in favour of #1106536?

Makes sense, closing this one then.

-- 
Guilhem.

--- End Message ---
Reply to: