From 8834ddc7f57c7def44f365377cca77cf124a07819c8e1261cc60f638cb77b264 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 30 Apr 2018 09:43:09 +0000 Subject: [PATCH] - security update * CVE-2018-10528 [bsc#1091345] + libraw-CVE-2018-10528.patch * CVE-2018-10529 [bsc#1091346] + libraw-CVE-2018-10529.patch - Updated to version 0.18.9: * samsung_load_raw: possible buffer overrun * rollei_load_raw: possible buffer overrun * nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer * find_green: possible stack overrun * parse_exif: possible stack overrun OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=113 --- LibRaw-0.18.8.tar.gz | 3 -- LibRaw-0.18.9.tar.gz | 3 ++ libraw-CVE-2018-10528.patch | 37 +++++++++++++++++ libraw-CVE-2018-10529.patch | 79 +++++++++++++++++++++++++++++++++++++ libraw.changes | 19 +++++++++ libraw.spec | 8 +++- 6 files changed, 144 insertions(+), 5 deletions(-) delete mode 100644 LibRaw-0.18.8.tar.gz create mode 100644 LibRaw-0.18.9.tar.gz create mode 100644 libraw-CVE-2018-10528.patch create mode 100644 libraw-CVE-2018-10529.patch diff --git a/LibRaw-0.18.8.tar.gz b/LibRaw-0.18.8.tar.gz deleted file mode 100644 index 72ada97..0000000 --- a/LibRaw-0.18.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:56aca4fd97038923d57d2d17d90aa11d827f1f3d3f1d97e9f5a0d52ff87420e2 -size 1281773 diff --git a/LibRaw-0.18.9.tar.gz b/LibRaw-0.18.9.tar.gz new file mode 100644 index 0000000..79e3b8e --- /dev/null +++ b/LibRaw-0.18.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2ef177032e6d804fc512b206d02c393fca26be43ecd136cc26926407273b24e +size 1282015 diff --git a/libraw-CVE-2018-10528.patch b/libraw-CVE-2018-10528.patch new file mode 100644 index 0000000..38bd8aa --- /dev/null +++ b/libraw-CVE-2018-10528.patch @@ -0,0 +1,37 @@ +Index: LibRaw-0.18.9/src/libraw_cxx.cpp +=================================================================== +--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp 2018-04-30 11:13:15.126021499 +0200 ++++ LibRaw-0.18.9/src/libraw_cxx.cpp 2018-04-30 11:16:43.677077398 +0200 +@@ -5484,17 +5484,18 @@ void x3f_clear(void *p) + x3f_delete((x3f_t*)p); + } + +-static char *utf2char(utf16_t *str, char *buffer) ++void utf2char(utf16_t *str, char *buffer, unsigned bufsz) + { ++ if(bufsz<1) return; ++ buffer[bufsz-1] = 0; + char *b = buffer; + +- while (*str != 0x00) { ++ while (*str != 0x00 && --bufsz>0) { + char *chr = (char *)str; + *b++ = *chr; + str++; + } + *b = 0; +- return buffer; + } + + static void *lr_memmem(const void *l, size_t l_len, const void *s, size_t s_len) +@@ -5555,8 +5556,8 @@ void LibRaw::parse_x3f() + x3f_property_t *P = PL->property_table.element; + for (i=0; inum_properties; i++) { + char name[100], value[100]; +- utf2char(P[i].name,name); +- utf2char(P[i].value,value); ++ utf2char(P[i].name,name,sizeof(name)); ++ utf2char(P[i].value,value,sizeof(value)); + if (!strcmp (name, "ISO")) + imgdata.other.iso_speed = atoi(value); + if (!strcmp (name, "CAMMANUF")) diff --git a/libraw-CVE-2018-10529.patch b/libraw-CVE-2018-10529.patch new file mode 100644 index 0000000..4648adf --- /dev/null +++ b/libraw-CVE-2018-10529.patch @@ -0,0 +1,79 @@ +Index: LibRaw-0.18.9/internal/libraw_x3f.cpp +=================================================================== +--- LibRaw-0.18.9.orig/internal/libraw_x3f.cpp 2018-04-24 16:23:24.000000000 +0200 ++++ LibRaw-0.18.9/internal/libraw_x3f.cpp 2018-04-30 11:35:17.477351409 +0200 +@@ -121,8 +121,6 @@ typedef struct x3f_property_s { + /* Computed */ + utf16_t *name; /* 0x0000 terminated UTF 16 */ + utf16_t *value; /* 0x0000 terminated UTF 16 */ +- char *name_utf8; /* converted to UTF 8 */ +- char *value_utf8; /* converted to UTF 8 */ + } x3f_property_t; + + typedef struct x3f_property_table_s { +@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datast + int _cur = _file->_func(_buffer,1,_left); \ + if (_cur == 0) { \ + throw LIBRAW_EXCEPTION_IO_CORRUPT; \ +- exit(1); \ + } \ + _left -= _cur; \ + } \ +@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t + if (PL) + { + int i; +- +- for (i = 0; i < PL->property_table.size; i++) { +- FREE(PL->property_table.element[i].name_utf8); +- FREE(PL->property_table.element[i].value_utf8); +- } + } + FREE(PL->property_table.element); + FREE(PL->data); +@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_i + + if (!PL->data_size) + PL->data_size = read_data_block(&PL->data, I, DE, 0); ++ uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000 + + for (i=0; inum_properties; i++) { + x3f_property_t *P = &PL->property_table.element[i]; +- ++ if(P->name_offset > maxoffset || P->value_offset > maxoffset) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + P->name = ((utf16_t *)PL->data + P->name_offset); + P->value = ((utf16_t *)PL->data + P->value_offset); +- P->name_utf8 = 0;// utf16le_to_utf8(P->name); +- P->value_utf8 = 0;//utf16le_to_utf8(P->value); + } + } + +Index: LibRaw-0.18.9/src/libraw_cxx.cpp +=================================================================== +--- LibRaw-0.18.9.orig/src/libraw_cxx.cpp 2018-04-30 11:35:17.477351409 +0200 ++++ LibRaw-0.18.9/src/libraw_cxx.cpp 2018-04-30 11:38:21.568048079 +0200 +@@ -5551,13 +5551,21 @@ void LibRaw::parse_x3f() + // Parse property list + DEH = &DE->header; + x3f_property_list_t *PL = &DEH->data_subsection.property_list; ++ utf16_t *datap = (utf16_t*) PL->data; ++ uint32_t maxitems = PL->data_size/sizeof(utf16_t); + if (PL->property_table.size != 0) { + int i; + x3f_property_t *P = PL->property_table.element; + for (i=0; inum_properties; i++) { + char name[100], value[100]; +- utf2char(P[i].name,name,sizeof(name)); +- utf2char(P[i].value,value,sizeof(value)); ++ int noffset = (P[i].name - datap); ++ int voffset = (P[i].value - datap); ++ if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ int maxnsize = maxitems - (P[i].name - datap); ++ int maxvsize = maxitems - (P[i].value - datap); ++ utf2char(P[i].name, name,MIN(maxnsize,sizeof(name))); ++ utf2char(P[i].value, value,MIN(maxvsize,sizeof(value))); + if (!strcmp (name, "ISO")) + imgdata.other.iso_speed = atoi(value); + if (!strcmp (name, "CAMMANUF")) diff --git a/libraw.changes b/libraw.changes index 5714073..a42e896 100644 --- a/libraw.changes +++ b/libraw.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Apr 30 09:18:00 UTC 2018 - pgajdos@suse.com + +- security update + * CVE-2018-10528 [bsc#1091345] + + libraw-CVE-2018-10528.patch + * CVE-2018-10529 [bsc#1091346] + + libraw-CVE-2018-10529.patch + +------------------------------------------------------------------- +Mon Apr 30 08:59:33 UTC 2018 - kbabioch@suse.com + +- Updated to version 0.18.9: + * samsung_load_raw: possible buffer overrun + * rollei_load_raw: possible buffer overrun + * nikon_coolscan_load_raw: possible buffer overrun, possible NULL pointer + * find_green: possible stack overrun + * parse_exif: possible stack overrun + ------------------------------------------------------------------- Fri Mar 9 12:41:28 UTC 2018 - kbabioch@suse.com diff --git a/libraw.spec b/libraw.spec index f4ad554..bd1a827 100644 --- a/libraw.spec +++ b/libraw.spec @@ -20,14 +20,16 @@ %define lver 16 %define lname libraw%{lver} Name: libraw -Version: 0.18.8 +Version: 0.18.9 Release: 0 Summary: Library for reading RAW files obtained from digital photo cameras -License: CDDL-1.0 OR LGPL-2.1 +License: CDDL-1.0 OR LGPL-2.1-only Group: Development/Libraries/C and C++ Url: https://www.libraw.org/ #Git-Clone: git://github.com/LibRaw/LibRaw Source: https://www.libraw.org/data/%tar_name-%version.tar.gz +Patch0: libraw-CVE-2018-10528.patch +Patch1: libraw-CVE-2018-10529.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libjasper-devel @@ -95,6 +97,8 @@ against LibRaw. LibRaw does not provide dynamic libraries. %prep %setup -qn %tar_name-%version +%patch0 -p1 +%patch1 -p1 %build export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"