- security update

* CVE-2018-10528 [bsc#1091345] + libraw-CVE-2018-10528.patch * CVE-2018-10529 [bsc#1091346] + libraw-CVE-2018-10529.patch - Updated to version 0.18.9: * samsung_load_raw: possible buffer overrun * rollei_load_raw: possible buffer overrun * nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer * find_green: possible stack overrun * parse_exif: possible stack overrun OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=113
2018-04-30 09:43:09 +00:00 · 2018-04-30 09:43:09 +00:00 · 8834ddc7f5
commit 8834ddc7f5
parent 978b862ceb
6 changed files with 144 additions and 5 deletions
--- a/LibRaw-0.18.8.tar.gz
+++ b/LibRaw-0.18.8.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:56aca4fd97038923d57d2d17d90aa11d827f1f3d3f1d97e9f5a0d52ff87420e2
-size 1281773
--- a/LibRaw-0.18.9.tar.gz
+++ b/LibRaw-0.18.9.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d2ef177032e6d804fc512b206d02c393fca26be43ecd136cc26926407273b24e
+size 1282015
--- a/libraw-CVE-2018-10528.patch
+++ b/libraw-CVE-2018-10528.patch
@ -0,0 +1,37 @@
+Index: LibRaw-0.18.9/src/libraw_cxx.cpp
+===================================================================
+--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2018-04-30 11:13:15.126021499 +0200
+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2018-04-30 11:16:43.677077398 +0200
+@@ -5484,17 +5484,18 @@ void x3f_clear(void *p)
+   x3f_delete((x3f_t*)p);
+ }
+ 
+-static char *utf2char(utf16_t *str, char *buffer)
+void utf2char(utf16_t *str, char *buffer, unsigned bufsz)
+ {
+ if(bufsz<1) return;
+ buffer[bufsz-1] = 0;
+   char *b = buffer;
+ 
+-  while (*str != 0x00) {
+  while (*str != 0x00 && --bufsz>0) {
+     char *chr = (char *)str;
+     *b++ = *chr;
+     str++;
+   }
+   *b = 0;
+-  return buffer;
+ }
+ 
+ static void *lr_memmem(const void *l, size_t l_len, const void *s, size_t s_len)
+@@ -5555,8 +5556,8 @@ void LibRaw::parse_x3f()
+ 		  x3f_property_t *P = PL->property_table.element;
+ 		  for (i=0; i<PL->num_properties; i++) {
+ 			  char name[100], value[100];
+-			  utf2char(P[i].name,name);
+-			  utf2char(P[i].value,value);
+			  utf2char(P[i].name,name,sizeof(name));
+			  utf2char(P[i].value,value,sizeof(value));
+ 			  if (!strcmp (name, "ISO"))
+ 				  imgdata.other.iso_speed = atoi(value);
+ 			  if (!strcmp (name, "CAMMANUF"))
--- a/libraw-CVE-2018-10529.patch
+++ b/libraw-CVE-2018-10529.patch
@ -0,0 +1,79 @@
+Index: LibRaw-0.18.9/internal/libraw_x3f.cpp
+===================================================================
+--- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp	2018-04-24 16:23:24.000000000 +0200
+++ LibRaw-0.18.9/internal/libraw_x3f.cpp	2018-04-30 11:35:17.477351409 +0200
+@@ -121,8 +121,6 @@ typedef struct x3f_property_s {
+   /* Computed */
+   utf16_t *name;		/* 0x0000 terminated UTF 16 */
+   utf16_t *value;               /* 0x0000 terminated UTF 16 */
+-  char *name_utf8;		/* converted to UTF 8 */
+-  char *value_utf8;          /* converted to UTF 8 */
+ } x3f_property_t;
+ 
+ typedef struct x3f_property_table_s {
+@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datast
+ 		int _cur = _file->_func(_buffer,1,_left);	\
+ 		if (_cur == 0) {							\
+ 			throw LIBRAW_EXCEPTION_IO_CORRUPT;		\
+-			exit(1);								\
+ 		}											\
+ 		_left -= _cur;								\
+ 	}												\
+@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t
+ 			if (PL)
+ 			{
+ 				int i;
+-
+-				for (i = 0; i < PL->property_table.size; i++) {
+-					FREE(PL->property_table.element[i].name_utf8);
+-					FREE(PL->property_table.element[i].value_utf8);
+-				}
+ 			}
+ 			FREE(PL->property_table.element);
+ 			FREE(PL->data);
+@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_i
+ 
+ 	if (!PL->data_size)
+ 		PL->data_size = read_data_block(&PL->data, I, DE, 0);
+	uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
+ 
+ 	for (i=0; i<PL->num_properties; i++) {
+ 		x3f_property_t *P = &PL->property_table.element[i];
+-
+		if(P->name_offset > maxoffset || P->value_offset > maxoffset)
+			throw LIBRAW_EXCEPTION_IO_CORRUPT;
+ 		P->name = ((utf16_t *)PL->data + P->name_offset);
+ 		P->value = ((utf16_t *)PL->data + P->value_offset);
+-		P->name_utf8 = 0;// utf16le_to_utf8(P->name);
+-		P->value_utf8 = 0;//utf16le_to_utf8(P->value);
+ 	}
+ }
+ 
+Index: LibRaw-0.18.9/src/libraw_cxx.cpp
+===================================================================
+--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp	2018-04-30 11:35:17.477351409 +0200
+++ LibRaw-0.18.9/src/libraw_cxx.cpp	2018-04-30 11:38:21.568048079 +0200
+@@ -5551,13 +5551,21 @@ void LibRaw::parse_x3f()
+ 	  // Parse property list
+ 	  DEH = &DE->header;
+ 	  x3f_property_list_t *PL = &DEH->data_subsection.property_list;
+          utf16_t *datap = (utf16_t*) PL->data;
+          uint32_t maxitems = PL->data_size/sizeof(utf16_t);
+ 	  if (PL->property_table.size != 0) {
+ 		  int i;
+ 		  x3f_property_t *P = PL->property_table.element;
+ 		  for (i=0; i<PL->num_properties; i++) {
+ 			  char name[100], value[100];
+-			  utf2char(P[i].name,name,sizeof(name));
+-			  utf2char(P[i].value,value,sizeof(value));
+                          int noffset = (P[i].name - datap);
+                          int voffset = (P[i].value - datap);
+                          if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
+                             throw LIBRAW_EXCEPTION_IO_CORRUPT;
+                          int maxnsize = maxitems - (P[i].name - datap);
+                          int maxvsize = maxitems - (P[i].value - datap);
+                          utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
+                          utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
+ 			  if (!strcmp (name, "ISO"))
+ 				  imgdata.other.iso_speed = atoi(value);
+ 			  if (!strcmp (name, "CAMMANUF"))
--- a/libraw.changes
+++ b/libraw.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Apr 30 09:18:00 UTC 2018 - pgajdos@suse.com
+
+- security update
+  * CVE-2018-10528 [bsc#1091345]
+    + libraw-CVE-2018-10528.patch
+  * CVE-2018-10529 [bsc#1091346]
+    + libraw-CVE-2018-10529.patch
+
+-------------------------------------------------------------------
+Mon Apr 30 08:59:33 UTC 2018 - kbabioch@suse.com
+
+- Updated to version 0.18.9:
+  * samsung_load_raw: possible buffer overrun
+  * rollei_load_raw: possible buffer overrun
+  * nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer
+  * find_green: possible stack overrun
+  * parse_exif: possible stack overrun
+
 -------------------------------------------------------------------
 Fri Mar  9 12:41:28 UTC 2018 - kbabioch@suse.com

--- a/libraw.spec
+++ b/libraw.spec
@ -20,14 +20,16 @@
 %define lver    16
 %define lname	libraw%{lver}
 Name:           libraw
-Version:        0.18.8
+Version:        0.18.9
 Release:        0
 Summary:        Library for reading RAW files obtained from digital photo cameras
-License:        CDDL-1.0 OR LGPL-2.1
+License:        CDDL-1.0 OR LGPL-2.1-only
 Group:          Development/Libraries/C and C++
 Url:            https://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source:         https://www.libraw.org/data/%tar_name-%version.tar.gz
+Patch0:         libraw-CVE-2018-10528.patch
+Patch1:         libraw-CVE-2018-10529.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  libjasper-devel
@ -95,6 +97,8 @@ against LibRaw. LibRaw does not provide dynamic libraries.

 %prep
 %setup -qn %tar_name-%version
+%patch0 -p1
+%patch1 -p1

 %build
 export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"