- added missing parts of the fix for CVE-2017-6887

and CVE-2017-6886 + libraw-CVE-2017-6887,6886.patch - added missing fix for CVE-2017-6890 and CVE-2017-6899 + libraw-CVE-2017-6890,6899.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=92
2017-05-23 07:48:34 +00:00 · 2017-05-23 07:48:34 +00:00 · 42297d1b65
commit 42297d1b65
parent 6ca3ea7ce2
4 changed files with 73 additions and 0 deletions
--- a/libraw-CVE-2017-6887,6886.patch
+++ b/libraw-CVE-2017-6887,6886.patch
@ -0,0 +1,34 @@
 From d7c3d2cb460be10a3ea7b32e9443a83c243b2251 Mon Sep 17 00:00:00 2001
 From: Alex Tutubalin <lexa@lexa.ru>
 Date: Sat, 4 Mar 2017 21:27:39 +0300
 Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns
 ---
 dcraw/dcraw.c             | 12 ++++++++++--
 internal/dcraw_common.cpp | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)
 Index: LibRaw-0.18.2/dcraw/dcraw.c
 ===================================================================
 --- LibRaw-0.18.2.orig/dcraw/dcraw.c	2017-05-23 09:32:51.733561941 +0200
 +++ LibRaw-0.18.2/dcraw/dcraw.c	2017-05-23 09:38:40.867531376 +0200
@@ -5842,6 +5842,10 @@ int CLASS parse_tiff_ifd (int base)
 	  load_raw = &CLASS sony_arw_load_raw;
 	  data_offset = get4()+base;
 	  ifd++;  break;
 +#ifdef LIBRAW_LIBRARY_BUILD
 +       if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0])
 +         throw LIBRAW_EXCEPTION_IO_CORRUPT;
 +#endif  
 	}
 	while (len--) {
 	  i = ftell(ifp);
@@ -6005,6 +6009,8 @@ int CLASS parse_tiff_ifd (int base)
 	break;
       case 50454:			/* Sinar tag */
       case 50455:
 +        if (len < 1 || len > 2560000)
 +          break;
 	if (!(cbuf = (char *) malloc(len))) break;
 	fread (cbuf, 1, len, ifp);
 	for (cp = cbuf-1; cp && cp < cbuf+len; cp = strchr(cp,'\n'))
--- a/libraw-CVE-2017-6890,6899.patch
+++ b/libraw-CVE-2017-6890,6899.patch
@ -0,0 +1,30 @@
 --- a/dcraw/dcraw.c
 +++ b/dcraw/dcraw.c
@@ -319,7 +319,7 @@ void CLASS foveon_huff (ushort *huff)
 void CLASS foveon_dp_load_raw()
 {
   unsigned c, roff[4], row, col, diff;
 -  ushort huff[512], vpred[2][2], hpred[2];
 +  ushort huff[1024], vpred[2][2], hpred[2];
   fseek (ifp, 8, SEEK_CUR);
   foveon_huff (huff);
@@ -346,12 +346,16 @@ void CLASS foveon_dp_load_raw()
 void CLASS foveon_load_camf()
 {
   unsigned type, wide, high, i, j, row, col, diff;
 -  ushort huff[258], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
 +  ushort huff[1024], vpred[2][2] = {{512,512},{512,512}}, hpred[2];
   fseek (ifp, meta_offset, SEEK_SET);
   type = get4();  get4();  get4();
   wide = get4();
   high = get4();
 +#ifdef LIBRAW_LIBRARY_BUILD
 +  if(wide>32767 || high > 32767 || wide*high > 20000000)
 +     throw LIBRAW_EXCEPTION_IO_CORRUPT;
 +#endif
   if (type == 2) {
     fread (meta_data, 1, meta_length, ifp);
     for (i=0; i < meta_length; i++) {
--- a/libraw.changes
+++ b/libraw.changes
@ -10,6 +10,11 @@ Tue May 23 06:54:04 UTC 2017 - pgajdos@suse.com
    Fixed bug in FujiExpoMidPointShift parser
    Fixed wrong black level in Sony A350
    Added standard integer types for VisualStudio 2008 and earlier
 - added missing parts of the fix for CVE-2017-6887 
  and CVE-2017-6886
    + libraw-CVE-2017-6887,6886.patch
 - added missing fix for CVE-2017-6890 and CVE-2017-6899
  + libraw-CVE-2017-6890,6899.patch
 -------------------------------------------------------------------
 Mon Jan 30 14:58:42 UTC 2017 - pgajdos@suse.com
--- a/libraw.spec
+++ b/libraw.spec
@ -30,6 +30,8 @@ Url:            http://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         http://www.libraw.org/data/%tar_name-%version.tar.gz
 Patch0:         libraw-CVE-2017-6890,6899.patch
 Patch1:         libraw-CVE-2017-6887,6886.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@ -98,6 +100,8 @@ against LibRaw. LibRaw does not provide dynamic libraries.
 %prep
 %setup -qn %tar_name-%version
 %patch0 -p1
 %patch1 -p1
 %build
 export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"