From 6fbdde71f7d0b6f69c92f7749f43b882d13c415123fd88ac78d41eb570f3b7df Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 2 May 2023 13:50:12 +0000 Subject: [PATCH] - security update - added patches fix CVE-2023-1729 [bsc#1210720], a heap-buffer-overflow in raw2image_ex() + libraw-CVE-2023-1729.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=152 --- libraw-CVE-2023-1729.patch | 14 ++++++++++++++ libraw.changes | 8 ++++++++ libraw.spec | 4 +++- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 libraw-CVE-2023-1729.patch diff --git a/libraw-CVE-2023-1729.patch b/libraw-CVE-2023-1729.patch new file mode 100644 index 0000000..883131f --- /dev/null +++ b/libraw-CVE-2023-1729.patch @@ -0,0 +1,14 @@ +diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp +index e65e2ad7..702cf290 100644 +--- a/src/preprocessing/raw2image.cpp ++++ b/src/preprocessing/raw2image.cpp +@@ -43,6 +43,8 @@ void LibRaw::raw2image_start() + + // adjust for half mode! + IO.shrink = ++ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image && ++ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image && + P1.filters && + (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1))); + + diff --git a/libraw.changes b/libraw.changes index c37da36..46a97c2 100644 --- a/libraw.changes +++ b/libraw.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue May 2 13:49:55 UTC 2023 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2023-1729 [bsc#1210720], a heap-buffer-overflow in raw2image_ex() + + libraw-CVE-2023-1729.patch + ------------------------------------------------------------------- Wed Jan 18 09:52:26 UTC 2023 - Dirk Müller diff --git a/libraw.spec b/libraw.spec index 13a6501..a074259 100644 --- a/libraw.spec +++ b/libraw.spec @@ -32,6 +32,8 @@ URL: https://www.libraw.org/ #Git-Clone: git://github.com/LibRaw/LibRaw Source0: https://www.libraw.org/data/%tar_name-%version.tar.gz Source1: baselibs.conf +# CVE-2023-1729 [bsc#1210720], a heap-buffer-overflow in raw2image_ex() +Patch0: libraw-CVE-2023-1729.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -100,7 +102,7 @@ This package contains static libraries that applications can use to build against LibRaw. LibRaw does not provide dynamic libraries. %prep -%setup -q -n %{tar_name}-%{version} +%autosetup -p1 -n %{tar_name}-%{version} %build %global _lto_cflags %{_lto_cflags} -ffat-lto-objects