[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106536: marked as done (bookworm-pu: package libraw/0.20.2-2.1+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1106536,
regarding bookworm-pu: package libraw/0.20.2-2.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106536: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106536
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libraw@packages.debian.org
Control: affects -1 + src:libraw
User: release.debian.org@packages.debian.org
Usertags: pu

Multiple low severity issues, not warranting a DSA,
debdiff below.

Cheers,
        Moritz

diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/changelog	2025-05-18 21:10:22.000000000 +0200
@@ -1,3 +1,11 @@
+libraw (0.20.2-2.1+deb12u1) bookworm; urgency=medium
+
+  * CVE-2025-43961 / CVE-2025-43962 (Closes: #1103781)
+  * CVE-2025-43963 (Closes: #1103782)
+  * CVE-2025-43964 (Closes: #1103783)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 18 May 2025 21:10:22 +0200
+
 libraw (0.20.2-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch
--- libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch	1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/CVE-2025-43961_43962_43963_43964.patch	2025-05-18 21:10:06.000000000 +0200
@@ -0,0 +1,113 @@
+Combined patch of the following upstream commits:
+
+From 66fe663e02a4dd610b4e832f5d9af326709336c2 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+From be26e7639ecf8beb55f124ce780e99842de2e964 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 6 Feb 2025 21:01:58 +0300
+Subject: [PATCH] check split_col/split_row values in phase_one_correct
+
+From a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sun, 2 Mar 2025 11:35:43 +0300
+Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing
+
+
+--- libraw-0.20.2.orig/src/decoders/load_mfbacks.cpp
++++ libraw-0.20.2/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct()
+           off_412 = ftell(ifp) - 38;
+         }
+       }
+-      else if (tag == 0x041f && !qlin_applied)
++      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++		&& ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant linearization */
+         ushort lc[2][2][16], ref[16];
+         int qr, qc;
+@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct()
+         }
+         qmult_applied = 1;
+       }
+-      else if (tag == 0x0431 && !qmult_applied)
++      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width
++        && ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant combined */
+         ushort lc[2][2][7], ref[7];
+         int qr, qc;
+@@ -331,6 +333,11 @@ int LibRaw::phase_one_correct()
+       fseek(ifp, off_412, SEEK_SET);
+       for (i = 0; i < 9; i++)
+         head[i] = get4() & 0x7fff;
++      unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
++      if (w0 > 10240000 || w1 > 10240000)
++        throw LIBRAW_EXCEPTION_ALLOC;
++      if (w0 < 1 || w1 < 1)
++        throw LIBRAW_EXCEPTION_IO_CORRUPT;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +363,17 @@ int LibRaw::phase_one_correct()
+             for (k = j = 0; j < head[1]; j++)
+               if (num < xval[0][k = head[1] * i + j])
+                 break;
+-            frac = (j == 0 || j == head[1])
+-                       ? 0
+-                       : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+-            mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
++			if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
++				frac = 0;
++			else
++			{
++				int xdiv = (xval[0][k] - xval[0][k - 1]);
++				frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
++			}
++			if (k < w0 + w1)
++				mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
++			else
++				mult[i - cip] = 0;
+           }
+           i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+           RAW(row, col) = LIM(i, 0, 65535);
+--- libraw-0.20.2.orig/src/metadata/tiff.cpp
++++ libraw-0.20.2/src/metadata/tiff.cpp
+@@ -980,17 +980,20 @@ int LibRaw::parse_tiff_ifd(int base)
+               if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+                   (fwb[2] == rafdata[fi + 2]))
+               {
+-                if (rafdata[fi - 15] !=
++                if (fi > 14 && rafdata[fi - 15] !=
+                     fwb[0]) // 15 is offset of Tungsten WB from the first
+                             // preset, Fine Weather WB
+                   continue;
+-                for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+-                     wb_ind++, ofst += 3)
++                if (fi >= 15)
+                 {
+-                  icWBC[Fuji_wb_list1[wb_ind]][1] =
+-                      icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+-                  icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+-                  icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++                    for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
++                        wb_ind++, ofst += 3)
++                    {
++                        icWBC[Fuji_wb_list1[wb_ind]][1] =
++                            icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
++                        icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
++                        icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++                    }
+                 }
+ 
+                 if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                 fi += 96;
+                 for (fj = fi; fj < (fi + 15); fj += 3)
+                 {
++                  if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
++                    break;
+                   if (rafdata[fj] != rafdata[fi])
+                   {
+                     fj -= 93;
diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series	2023-05-20 21:44:42.000000000 +0200
+++ libraw-0.20.2/debian/patches/series	2025-05-18 21:09:05.000000000 +0200
@@ -1,2 +1,3 @@
 check-for-input-buffer-size-on-datastream-gets.patch
 do-not-set-shrink-flag-for-3-4-component-images.patch
+CVE-2025-43961_43962_43963_43964.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: