From 190b1818b5a6f04a7244426024f6dce70581eea3edde15e907d758ee911de010 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 25 Sep 2017 12:52:49 +0000 Subject: [PATCH] - updated to 0.18.5: Fix for possible buffer overrun in kodak_65000 decoder Fix for possible heap overrun in Canon makernotes parser Fix for CVE-2017-13735 CVE-2017-14265: Additional check for X-Trans CFA pattern data - remove upstreamed libraw-out-of-bounds-kodak.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=101 --- LibRaw-0.18.4.tar.gz | 3 --- LibRaw-0.18.5.tar.gz | 3 +++ libraw-out-of-bounds-kodak.patch | 23 ----------------------- libraw.changes | 10 ++++++++++ libraw.spec | 4 +--- 5 files changed, 14 insertions(+), 29 deletions(-) delete mode 100644 LibRaw-0.18.4.tar.gz create mode 100644 LibRaw-0.18.5.tar.gz delete mode 100644 libraw-out-of-bounds-kodak.patch diff --git a/LibRaw-0.18.4.tar.gz b/LibRaw-0.18.4.tar.gz deleted file mode 100644 index 9f84616..0000000 --- a/LibRaw-0.18.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eaf4931b46e65861e88bbe704ccf370381e94d63e9a898b889ded4e0cb3b0c97 -size 1281104 diff --git a/LibRaw-0.18.5.tar.gz b/LibRaw-0.18.5.tar.gz new file mode 100644 index 0000000..ead95eb --- /dev/null +++ b/LibRaw-0.18.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa2a7d14d9dfaf6b368f958a76d79266b3f58c2bc367bebab56e11baa94da178 +size 1280046 diff --git a/libraw-out-of-bounds-kodak.patch b/libraw-out-of-bounds-kodak.patch deleted file mode 100644 index 9816a2e..0000000 --- a/libraw-out-of-bounds-kodak.patch +++ /dev/null @@ -1,23 +0,0 @@ -https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 -diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp -index 18bcdbcb..8fb2b073 100644 ---- a/internal/dcraw_common.cpp -+++ b/internal/dcraw_common.cpp -@@ -3240,8 +3240,15 @@ void CLASS kodak_65000_load_raw() - len = MIN (256, width-col); - ret = kodak_65000_decode (buf, len); - for (i=0; i < len; i++) -- if ((RAW(row,col+i) = curve[ret ? buf[i] : -- (pred[i & 1] += buf[i])]) >> 12) derror(); -+ { -+ int idx = ret ? buf[i] : (pred[i & 1] += buf[i]); -+ if(idx >=0 && idx <= 0xffff) -+ { -+ if ((RAW(row,col+i) = curve[idx]) >> 12) derror(); -+ } -+ else -+ derror(); -+ } - } - } - } diff --git a/libraw.changes b/libraw.changes index 0e96289..4defece 100644 --- a/libraw.changes +++ b/libraw.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Sep 25 12:42:43 UTC 2017 - pgajdos@suse.com + +- updated to 0.18.5: + Fix for possible buffer overrun in kodak_65000 decoder + Fix for possible heap overrun in Canon makernotes parser + Fix for CVE-2017-13735 + CVE-2017-14265: Additional check for X-Trans CFA pattern data +- remove upstreamed libraw-out-of-bounds-kodak.patch + ------------------------------------------------------------------- Wed Sep 13 10:25:35 UTC 2017 - pgajdos@suse.com diff --git a/libraw.spec b/libraw.spec index 36f3d24..8ead55c 100644 --- a/libraw.spec +++ b/libraw.spec @@ -21,7 +21,7 @@ Name: libraw %define lver 16 %define lname libraw%{lver} -Version: 0.18.4 +Version: 0.18.5 Release: 0 Summary: Library for reading RAW files obtained from digital photo cameras License: CDDL-1.0 or LGPL-2.1 @@ -30,7 +30,6 @@ Url: http://www.libraw.org/ #Git-Clone: git://github.com/LibRaw/LibRaw Source: http://www.libraw.org/data/%tar_name-%version.tar.gz -Patch0: libraw-out-of-bounds-kodak.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libjasper-devel @@ -99,7 +98,6 @@ against LibRaw. LibRaw does not provide dynamic libraries. %prep %setup -qn %tar_name-%version -%patch0 -p1 %build export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"