Accepting request 627331 from graphics

OBS-URL: https://build.opensuse.org/request/show/627331
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libraw?expand=0&rev=49

LibRaw-0.18.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d2ef177032e6d804fc512b206d02c393fca26be43ecd136cc26926407273b24e
-size 1282015

LibRaw-0.19.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e83f51e83b19f9ba6b8bd144475fc12edf2d7b3b930d8d280bdebd8a8f3ed259
+size 1300662

libraw-Add-Sony-ILCE-7M3.patch

@@ -0,0 +1,64 @@
+From a340f3d299f73b2ae25678f7b59fc2167d7c6fc1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Fri, 4 May 2018 10:50:10 +0200
+Subject: [PATCH] Add Sony ILCE-7M3
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ dcraw/dcraw.c             | 11 +++++++----
+ internal/dcraw_common.cpp | 11 +++++++----
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index 0a9afa2..80b91c4 100644
+--- a/internal/dcraw_common.cpp
++++ b/internal/dcraw_common.cpp
+@@ -8331,7 +8331,7 @@ void CLASS setSonyBodyFeatures(unsigned id)
+       {360, LIBRAW_FORMAT_APSC, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 8, 0x0346, 0x01cd},
+       {361, 0, 0, 0, 0, 0, 0xffff, 0xffff},
+       {362, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 9, 0x0320, 0x019f},
+-      {363, 0, 0, 0, 0, 0, 0xffff, 0xffff},
++      {363, LIBRAW_FORMAT_FF, LIBRAW_MOUNT_Sony_E, LIBRAW_SONY_ILCE, 0, 0, 0x0320, 0x019f},
+       {364, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC, LIBRAW_MOUNT_FixedLens, 8, 0x0346, 0xffff},
+       {365, LIBRAW_FORMAT_1INCH, LIBRAW_MOUNT_FixedLens, LIBRAW_SONY_DSC, LIBRAW_MOUNT_FixedLens, 9, 0x0320, 0xffff},
+   };
+@@ -8623,7 +8623,7 @@ void CLASS process_Sony_0x9050(uchar *buf, ushort len, unsigned id)
+     parseSonyLensFeatures(SonySubstitution[buf[0x116]], SonySubstitution[buf[0x117]]);
+   }
+ 
+-  if ((id == 347) || (id == 350) || (id == 354) || (id == 357) || (id == 358) || (id == 360) || (id == 362))
++  if ((id == 347) || (id == 350) || (id == 354) || (id == 357) || (id == 358) || (id == 360) || (id == 362) || (id == 363))
+   {
+     if (len <= 0x8d)
+       return;
+@@ -8687,7 +8687,7 @@ void CLASS process_Sony_0x9400(uchar *buf, ushort len, unsigned id)
+   if (((bufx == 0x23) || (bufx == 0x24) || (bufx == 0x26)) && (len >= 0x1f))
+   { // 0x9400 'c' version
+ 
+-    if ((id == 358) || (id == 362) || (id == 365))
++    if ((id == 358) || (id == 362) || (id == 363) || (id == 365))
+     {
+       imgdata.makernotes.sony.ShotNumberSincePowerUp = SonySubstitution[buf[0x0a]];
+     }
+@@ -17094,6 +17094,8 @@ void CLASS adobe_coeff(const char *t_make, const char *t_model
+       { 6389,-1703,-378,-4562,12265,2587,-670,1489,6550 } },
+     { "Sony ILCE-7M2", 0, 0,
+       { 5271,-712,-347,-6153,13653,2763,-1601,2366,7242 } },
++    { "Sony ILCE-7M3", 0, 0,
++      { 7374,-2389,-551,-5435,13162,2519,-1006,1795,6552 } },
+     { "Sony ILCE-7SM2", 0, 0,
+       { 5838,-1430,-246,-3497,11477,2297,-748,1885,5778 } },
+     { "Sony ILCE-7S", 0, 0,
+@@ -17472,7 +17474,8 @@ void CLASS identify()
+         {0x155, "DSC-RX100M4"}, {0x156, "DSC-RX10M2"},  {0x158, "DSC-RX1RM2"}, {0x15a, "ILCE-QX1"},
+         {0x15b, "ILCE-7RM2"},   {0x15e, "ILCE-7SM2"},   {0x161, "ILCA-68"},    {0x162, "ILCA-99M2"},
+         {0x163, "DSC-RX10M3"},  {0x164, "DSC-RX100M5"}, {0x165, "ILCE-6300"},  {0x166, "ILCE-9"},
+-        {0x168, "ILCE-6500"},   {0x16a, "ILCE-7RM3"},   {0x16c, "DSC-RX0"},    {0x16d, "DSC-RX10M4"},
++        {0x168, "ILCE-6500"},   {0x16a, "ILCE-7RM3"},   {0x16b, "ILCE-7M3"},   {0x16c, "DSC-RX0"},
++        {0x16d, "DSC-RX10M4"},
+     };
+ 
+ #ifdef LIBRAW_LIBRARY_BUILD
+-- 
+2.16.3
+

libraw-CVE-2018-10528.patch

@@ -1,37 +0,0 @@
-Index: LibRaw-0.18.9/src/libraw_cxx.cpp
-===================================================================
---- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2018-04-30 11:13:15.126021499 +0200
-+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2018-04-30 11:16:43.677077398 +0200
-@@ -5484,17 +5484,18 @@ void x3f_clear(void *p)
-   x3f_delete((x3f_t*)p);
- }
- 
--static char *utf2char(utf16_t *str, char *buffer)
-+void utf2char(utf16_t *str, char *buffer, unsigned bufsz)
- {
-+ if(bufsz<1) return;
-+ buffer[bufsz-1] = 0;
-   char *b = buffer;
- 
--  while (*str != 0x00) {
-+  while (*str != 0x00 && --bufsz>0) {
-     char *chr = (char *)str;
-     *b++ = *chr;
-     str++;
-   }
-   *b = 0;
--  return buffer;
- }
- 
- static void *lr_memmem(const void *l, size_t l_len, const void *s, size_t s_len)
-@@ -5555,8 +5556,8 @@ void LibRaw::parse_x3f()
- 		  x3f_property_t *P = PL->property_table.element;
- 		  for (i=0; i<PL->num_properties; i++) {
- 			  char name[100], value[100];
--			  utf2char(P[i].name,name);
--			  utf2char(P[i].value,value);
-+			  utf2char(P[i].name,name,sizeof(name));
-+			  utf2char(P[i].value,value,sizeof(value));
- 			  if (!strcmp (name, "ISO"))
- 				  imgdata.other.iso_speed = atoi(value);
- 			  if (!strcmp (name, "CAMMANUF"))

libraw-CVE-2018-10529.patch

@@ -1,79 +0,0 @@
-Index: LibRaw-0.18.9/internal/libraw_x3f.cpp
-===================================================================
---- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp	2018-04-24 16:23:24.000000000 +0200
-+++ LibRaw-0.18.9/internal/libraw_x3f.cpp	2018-04-30 11:35:17.477351409 +0200
-@@ -121,8 +121,6 @@ typedef struct x3f_property_s {
-   /* Computed */
-   utf16_t *name;		/* 0x0000 terminated UTF 16 */
-   utf16_t *value;               /* 0x0000 terminated UTF 16 */
--  char *name_utf8;		/* converted to UTF 8 */
--  char *value_utf8;          /* converted to UTF 8 */
- } x3f_property_t;
- 
- typedef struct x3f_property_table_s {
-@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datast
- 		int _cur = _file->_func(_buffer,1,_left);	\
- 		if (_cur == 0) {							\
- 			throw LIBRAW_EXCEPTION_IO_CORRUPT;		\
--			exit(1);								\
- 		}											\
- 		_left -= _cur;								\
- 	}												\
-@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t
- 			if (PL)
- 			{
- 				int i;
--
--				for (i = 0; i < PL->property_table.size; i++) {
--					FREE(PL->property_table.element[i].name_utf8);
--					FREE(PL->property_table.element[i].value_utf8);
--				}
- 			}
- 			FREE(PL->property_table.element);
- 			FREE(PL->data);
-@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_i
- 
- 	if (!PL->data_size)
- 		PL->data_size = read_data_block(&PL->data, I, DE, 0);
-+	uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
- 
- 	for (i=0; i<PL->num_properties; i++) {
- 		x3f_property_t *P = &PL->property_table.element[i];
--
-+		if(P->name_offset > maxoffset || P->value_offset > maxoffset)
-+			throw LIBRAW_EXCEPTION_IO_CORRUPT;
- 		P->name = ((utf16_t *)PL->data + P->name_offset);
- 		P->value = ((utf16_t *)PL->data + P->value_offset);
--		P->name_utf8 = 0;// utf16le_to_utf8(P->name);
--		P->value_utf8 = 0;//utf16le_to_utf8(P->value);
- 	}
- }
- 
-Index: LibRaw-0.18.9/src/libraw_cxx.cpp
-===================================================================
---- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2018-04-30 11:35:17.477351409 +0200
-+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2018-04-30 11:38:21.568048079 +0200
-@@ -5551,13 +5551,21 @@ void LibRaw::parse_x3f()
- 	  // Parse property list
- 	  DEH = &DE->header;
- 	  x3f_property_list_t *PL = &DEH->data_subsection.property_list;
-+          utf16_t *datap = (utf16_t*) PL->data;
-+          uint32_t maxitems = PL->data_size/sizeof(utf16_t);
- 	  if (PL->property_table.size != 0) {
- 		  int i;
- 		  x3f_property_t *P = PL->property_table.element;
- 		  for (i=0; i<PL->num_properties; i++) {
- 			  char name[100], value[100];
--			  utf2char(P[i].name,name,sizeof(name));
--			  utf2char(P[i].value,value,sizeof(value));
-+                          int noffset = (P[i].name - datap);
-+                          int voffset = (P[i].value - datap);
-+                          if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
-+                             throw LIBRAW_EXCEPTION_IO_CORRUPT;
-+                          int maxnsize = maxitems - (P[i].name - datap);
-+                          int maxvsize = maxitems - (P[i].value - datap);
-+                          utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
-+                          utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
- 			  if (!strcmp (name, "ISO"))
- 				  imgdata.other.iso_speed = atoi(value);
- 			  if (!strcmp (name, "CAMMANUF"))

libraw-CVE-2018-5813.patch

@@ -0,0 +1,42 @@
+Index: LibRaw-0.19.0/internal/dcraw_common.cpp
+===================================================================
+--- LibRaw-0.19.0.orig/internal/dcraw_common.cpp	2018-08-01 12:52:18.288642432 +0200
++++ LibRaw-0.19.0/internal/dcraw_common.cpp	2018-08-01 13:13:55.263263676 +0200
+@@ -14413,8 +14413,13 @@ void CLASS apply_tiff()
+ 
+ void CLASS parse_minolta(int base)
+ {
+-  int save, tag, len, offset, high = 0, wide = 0, i, c;
++  int tag, len, offset, high = 0, wide = 0, i, c;
+   short sorder = order;
++#ifdef LIBRAW_LIBRARY_BUILD
++  INT64 save;
++#else
++  int save;
++#endif
+ 
+   fseek(ifp, base, SEEK_SET);
+   if (fgetc(ifp) || fgetc(ifp) - 'M' || fgetc(ifp) - 'R')
+@@ -14422,8 +14427,9 @@ void CLASS parse_minolta(int base)
+   order = fgetc(ifp) * 0x101;
+   offset = base + get4() + 8;
+ #ifdef LIBRAW_LIBRARY_BUILD
+-  if(offset>ifp->size()-8) // At least 8 bytes for tag/len
+-    offset = ifp->size()-8;
++  INT64 fsize = ifp->size();
++  if(offset>fsize-8) // At least 8 bytes for tag/len
++    offset = fsize-8;
+ #endif
+ 
+   while ((save = ftell(ifp)) < offset)
+@@ -14433,6 +14439,10 @@ void CLASS parse_minolta(int base)
+     len = get4();
+     if(len < 0)
+       return; // just ignore wrong len?? or raise bad file exception?
++#ifdef LIBRAW_LIBRARY_BUILD
++    if((INT64)len + save + 8ULL > save)
++      return; // just ignore out of file metadata, stop parse
++#endif
+     switch (tag)
+     {
+     case 0x505244: /* PRD */

libraw.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Thu Aug  2 08:33:57 UTC 2018 - asn@cryptomilk.org
+
+- Add patch libraw-Add-Sony-ILCE-7M3.patch
+  * See https://github.com/LibRaw/LibRaw/pull/145
+  * The patch has been cut, the tarball from the download section
+    doesn't match the git tag. dcraw/dcraw.c is totall different.
+- Use %license tag
+
+-------------------------------------------------------------------
+Wed Aug  1 11:07:43 UTC 2018 - pgajdos@suse.com
+
+- security update
+  * CVE-2018-5813 [bsc#1103200]
+    + libraw-CVE-2018-5813.patch
+
+-------------------------------------------------------------------
+Wed Aug  1 10:13:46 UTC 2018 - pgajdos@suse.com
+
+- new upstream branch, version 0.19.x
+  * fixes CVE-2018-10529 and CVE-2018-10528, hence removing
+    . libraw-CVE-2018-10528.patch
+    . libraw-CVE-2018-10529.patch
+  * the rest of changes at
+    https://www.libraw.org/download#stable
+
 -------------------------------------------------------------------
 Mon Apr 30 09:18:00 UTC 2018 - pgajdos@suse.com
 

libraw.spec

@@ -17,10 +17,10 @@
 
 
 %define tar_name LibRaw
-%define lver    16
+%define lver    19
 %define lname	libraw%{lver}
 Name:           libraw
-Version:        0.18.9
+Version:        0.19.0
 Release:        0
 Summary:        Library for reading RAW files obtained from digital photo cameras
 License:        CDDL-1.0 OR LGPL-2.1-only
@@ -28,8 +28,8 @@ Group:          Development/Libraries/C and C++
 Url:            https://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         https://www.libraw.org/data/%tar_name-%version.tar.gz
-Patch0:         libraw-CVE-2018-10528.patch
+Patch0:         libraw-CVE-2018-5813.patch
-Patch1:         libraw-CVE-2018-10529.patch
+Patch1:         libraw-Add-Sony-ILCE-7M3.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@@ -96,7 +96,7 @@ This package contains static libraries that applications can use to build
 against LibRaw. LibRaw does not provide dynamic libraries.
 
 %prep
-%setup -qn %tar_name-%version
+%setup -q -n %{tar_name}-%{version}
 %patch0 -p1
 %patch1 -p1
 
@@ -126,7 +126,8 @@ rm -rf %buildroot%_datadir/doc
 %_bindir/*
 
 %files devel
-%doc Changelog.txt COPYRIGHT LICENSE.CDDL LICENSE.LGPL
+%doc Changelog.txt
+%license COPYRIGHT LICENSE.CDDL LICENSE.LGPL
 %doc manual
 %_includedir/%name/
 %_libdir/pkgconfig/*.pc