From 6ca3ea7ce259b29c748b4f446022b8e0e14d4124b99ca029c1b37f2873430933 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 23 May 2017 06:55:24 +0000 Subject: [PATCH 1/4] - updated to 0.18.2: Fixed several errors (Secunia advisory SA75000) ACES colorspace output option included in dcraw_emu help page Avoided possible 32-bit overflows in Sony metadata parser Phase One flat field code called even for half-size output Camera Support: Sigma Quattro H Fixed bug in FujiExpoMidPointShift parser Fixed wrong black level in Sony A350 Added standard integer types for VisualStudio 2008 and earlier OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=91 --- LibRaw-0.18.0.tar.gz | 3 --- LibRaw-0.18.2.tar.gz | 3 +++ libraw.changes | 13 +++++++++++++ libraw.spec | 2 +- 4 files changed, 17 insertions(+), 4 deletions(-) delete mode 100644 LibRaw-0.18.0.tar.gz create mode 100644 LibRaw-0.18.2.tar.gz diff --git a/LibRaw-0.18.0.tar.gz b/LibRaw-0.18.0.tar.gz deleted file mode 100644 index 33f1021..0000000 --- a/LibRaw-0.18.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d56a0c9a0e6d1b8c8c5585346acf2cfb0554eee0f0948da66f580cd65c8c5c9b -size 1278737 diff --git a/LibRaw-0.18.2.tar.gz b/LibRaw-0.18.2.tar.gz new file mode 100644 index 0000000..a1c6145 --- /dev/null +++ b/LibRaw-0.18.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce366bb38c1144130737eb16e919038937b4dc1ab165179a225d5e847af2abc6 +size 1281674 diff --git a/libraw.changes b/libraw.changes index 0d283d0..f370789 100644 --- a/libraw.changes +++ b/libraw.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue May 23 06:54:04 UTC 2017 - pgajdos@suse.com + +- updated to 0.18.2: + Fixed several errors (Secunia advisory SA75000) + ACES colorspace output option included in dcraw_emu help page + Avoided possible 32-bit overflows in Sony metadata parser + Phase One flat field code called even for half-size output + Camera Support: Sigma Quattro H + Fixed bug in FujiExpoMidPointShift parser + Fixed wrong black level in Sony A350 + Added standard integer types for VisualStudio 2008 and earlier + ------------------------------------------------------------------- Mon Jan 30 14:58:42 UTC 2017 - pgajdos@suse.com diff --git a/libraw.spec b/libraw.spec index ed09586..9cbf564 100644 --- a/libraw.spec +++ b/libraw.spec @@ -21,7 +21,7 @@ Name: libraw %define lver 16 %define lname libraw%{lver} -Version: 0.18.0 +Version: 0.18.2 Release: 0 Summary: Library for reading RAW files obtained from digital photo cameras License: CDDL-1.0 or LGPL-2.1 From 42297d1b65bb7b8e0270708f9c77ce3d581202c6a142f6c97885499c4aaf2efa Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 23 May 2017 07:48:34 +0000 Subject: [PATCH 2/4] - added missing parts of the fix for CVE-2017-6887 and CVE-2017-6886 + libraw-CVE-2017-6887,6886.patch - added missing fix for CVE-2017-6890 and CVE-2017-6899 + libraw-CVE-2017-6890,6899.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=92 --- libraw-CVE-2017-6887,6886.patch | 34 +++++++++++++++++++++++++++++++++ libraw-CVE-2017-6890,6899.patch | 30 +++++++++++++++++++++++++++++ libraw.changes | 5 +++++ libraw.spec | 4 ++++ 4 files changed, 73 insertions(+) create mode 100644 libraw-CVE-2017-6887,6886.patch create mode 100644 libraw-CVE-2017-6890,6899.patch diff --git a/libraw-CVE-2017-6887,6886.patch b/libraw-CVE-2017-6887,6886.patch new file mode 100644 index 0000000..fcc1e36 --- /dev/null +++ b/libraw-CVE-2017-6887,6886.patch @@ -0,0 +1,34 @@ +From d7c3d2cb460be10a3ea7b32e9443a83c243b2251 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 4 Mar 2017 21:27:39 +0300 +Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns + +--- + dcraw/dcraw.c | 12 ++++++++++-- + internal/dcraw_common.cpp | 12 ++++++++++-- + 2 files changed, 20 insertions(+), 4 deletions(-) + +Index: LibRaw-0.18.2/dcraw/dcraw.c +=================================================================== +--- LibRaw-0.18.2.orig/dcraw/dcraw.c 2017-05-23 09:32:51.733561941 +0200 ++++ LibRaw-0.18.2/dcraw/dcraw.c 2017-05-23 09:38:40.867531376 +0200 +@@ -5842,6 +5842,10 @@ int CLASS parse_tiff_ifd (int base) + load_raw = &CLASS sony_arw_load_raw; + data_offset = get4()+base; + ifd++; break; ++#ifdef LIBRAW_LIBRARY_BUILD ++ if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0]) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + } + while (len--) { + i = ftell(ifp); +@@ -6005,6 +6009,8 @@ int CLASS parse_tiff_ifd (int base) + break; + case 50454: /* Sinar tag */ + case 50455: ++ if (len < 1 || len > 2560000) ++ break; + if (!(cbuf = (char *) malloc(len))) break; + fread (cbuf, 1, len, ifp); + for (cp = cbuf-1; cp && cp < cbuf+len; cp = strchr(cp,'\n')) diff --git a/libraw-CVE-2017-6890,6899.patch b/libraw-CVE-2017-6890,6899.patch new file mode 100644 index 0000000..b9fcaaf --- /dev/null +++ b/libraw-CVE-2017-6890,6899.patch @@ -0,0 +1,30 @@ +--- a/dcraw/dcraw.c ++++ b/dcraw/dcraw.c +@@ -319,7 +319,7 @@ void CLASS foveon_huff (ushort *huff) + void CLASS foveon_dp_load_raw() + { + unsigned c, roff[4], row, col, diff; +- ushort huff[512], vpred[2][2], hpred[2]; ++ ushort huff[1024], vpred[2][2], hpred[2]; + + fseek (ifp, 8, SEEK_CUR); + foveon_huff (huff); +@@ -346,12 +346,16 @@ void CLASS foveon_dp_load_raw() + void CLASS foveon_load_camf() + { + unsigned type, wide, high, i, j, row, col, diff; +- ushort huff[258], vpred[2][2] = {{512,512},{512,512}}, hpred[2]; ++ ushort huff[1024], vpred[2][2] = {{512,512},{512,512}}, hpred[2]; + + fseek (ifp, meta_offset, SEEK_SET); + type = get4(); get4(); get4(); + wide = get4(); + high = get4(); ++#ifdef LIBRAW_LIBRARY_BUILD ++ if(wide>32767 || high > 32767 || wide*high > 20000000) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++#endif + if (type == 2) { + fread (meta_data, 1, meta_length, ifp); + for (i=0; i < meta_length; i++) { + diff --git a/libraw.changes b/libraw.changes index f370789..3068ca3 100644 --- a/libraw.changes +++ b/libraw.changes @@ -10,6 +10,11 @@ Tue May 23 06:54:04 UTC 2017 - pgajdos@suse.com Fixed bug in FujiExpoMidPointShift parser Fixed wrong black level in Sony A350 Added standard integer types for VisualStudio 2008 and earlier +- added missing parts of the fix for CVE-2017-6887 + and CVE-2017-6886 + + libraw-CVE-2017-6887,6886.patch +- added missing fix for CVE-2017-6890 and CVE-2017-6899 + + libraw-CVE-2017-6890,6899.patch ------------------------------------------------------------------- Mon Jan 30 14:58:42 UTC 2017 - pgajdos@suse.com diff --git a/libraw.spec b/libraw.spec index 9cbf564..5161001 100644 --- a/libraw.spec +++ b/libraw.spec @@ -30,6 +30,8 @@ Url: http://www.libraw.org/ #Git-Clone: git://github.com/LibRaw/LibRaw Source: http://www.libraw.org/data/%tar_name-%version.tar.gz +Patch0: libraw-CVE-2017-6890,6899.patch +Patch1: libraw-CVE-2017-6887,6886.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libjasper-devel @@ -98,6 +100,8 @@ against LibRaw. LibRaw does not provide dynamic libraries. %prep %setup -qn %tar_name-%version +%patch0 -p1 +%patch1 -p1 %build export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB" From 25e3a98c17fdb290e84655794678f19ee0bca2e45498ca030824a5e302298227 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 23 May 2017 08:33:35 +0000 Subject: [PATCH 3/4] OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=93 --- libraw-CVE-2017-6887,6886.patch | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libraw-CVE-2017-6887,6886.patch b/libraw-CVE-2017-6887,6886.patch index fcc1e36..1c23a6a 100644 --- a/libraw-CVE-2017-6887,6886.patch +++ b/libraw-CVE-2017-6887,6886.patch @@ -10,20 +10,25 @@ Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns Index: LibRaw-0.18.2/dcraw/dcraw.c =================================================================== ---- LibRaw-0.18.2.orig/dcraw/dcraw.c 2017-05-23 09:32:51.733561941 +0200 -+++ LibRaw-0.18.2/dcraw/dcraw.c 2017-05-23 09:38:40.867531376 +0200 -@@ -5842,6 +5842,10 @@ int CLASS parse_tiff_ifd (int base) +--- LibRaw-0.18.2.orig/dcraw/dcraw.c 2017-05-23 10:30:39.264790336 +0200 ++++ LibRaw-0.18.2/dcraw/dcraw.c 2017-05-23 10:33:01.327208294 +0200 +@@ -5841,8 +5841,14 @@ int CLASS parse_tiff_ifd (int base) + if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].width == 3872) { load_raw = &CLASS sony_arw_load_raw; data_offset = get4()+base; - ifd++; break; +- ifd++; break; ++ ifd++; +#ifdef LIBRAW_LIBRARY_BUILD + if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0]) + throw LIBRAW_EXCEPTION_IO_CORRUPT; +#endif } ++ /* not sure what is meant by that :) */ ++ break; while (len--) { i = ftell(ifp); -@@ -6005,6 +6009,8 @@ int CLASS parse_tiff_ifd (int base) + fseek (ifp, get4()+base, SEEK_SET); +@@ -6005,6 +6011,8 @@ int CLASS parse_tiff_ifd (int base) break; case 50454: /* Sinar tag */ case 50455: From b99517535db6393ec5d124b395206ef6198cc244930dfb6fcadce16bec7e1e59 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 23 May 2017 09:16:14 +0000 Subject: [PATCH 4/4] OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=94 --- libraw-CVE-2017-6887,6886.patch | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libraw-CVE-2017-6887,6886.patch b/libraw-CVE-2017-6887,6886.patch index 1c23a6a..1670a17 100644 --- a/libraw-CVE-2017-6887,6886.patch +++ b/libraw-CVE-2017-6887,6886.patch @@ -11,24 +11,22 @@ Subject: [PATCH] Secunia SA75000 advisory: several buffer overruns Index: LibRaw-0.18.2/dcraw/dcraw.c =================================================================== --- LibRaw-0.18.2.orig/dcraw/dcraw.c 2017-05-23 10:30:39.264790336 +0200 -+++ LibRaw-0.18.2/dcraw/dcraw.c 2017-05-23 10:33:01.327208294 +0200 -@@ -5841,8 +5841,14 @@ int CLASS parse_tiff_ifd (int base) ++++ LibRaw-0.18.2/dcraw/dcraw.c 2017-05-23 11:15:45.574900958 +0200 +@@ -5841,7 +5841,12 @@ int CLASS parse_tiff_ifd (int base) if (!strcmp(model,"DSLR-A100") && tiff_ifd[ifd].width == 3872) { load_raw = &CLASS sony_arw_load_raw; data_offset = get4()+base; - ifd++; break; + ifd++; +#ifdef LIBRAW_LIBRARY_BUILD -+ if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0]) -+ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ if (ifd >= sizeof tiff_ifd / sizeof tiff_ifd[0]) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; +#endif ++ break; } -+ /* not sure what is meant by that :) */ -+ break; while (len--) { i = ftell(ifp); - fseek (ifp, get4()+base, SEEK_SET); -@@ -6005,6 +6011,8 @@ int CLASS parse_tiff_ifd (int base) +@@ -6005,6 +6010,8 @@ int CLASS parse_tiff_ifd (int base) break; case 50454: /* Sinar tag */ case 50455: