Accepting request 1135525 from home:dirkmueller:Factory

- update to 0.21.2:
  * New compile-defined limit LIBRAW_MAX_PROFILE_SIZE_MB:
    limits allocation/read size for embedded color profile
    Embedded color profile allocation/read size: limited by input
    file size.
  * Multiple fixes (mostly inspired by oss-fuzz) to improve
    library stability and/or input checks.
  * raw-identify: use fallback if PATH_MAX not available
  * Disabled color conversion for Canon 16-bit thumbnails
  * docs/changelog: explained the case when no thumbnail is found
    in specific file
  * swapXX renamed to libraw_swapXX to avoid name conflict
  * better striped thumbnails handling
- drop libraw-CVE-2023-1729.patch (upstream)

  * Olympus XZ-1: do not provide linear_max
  * multiple camera support improvements
  * quicktake_100_load_raw: check width/height limits
    CVE-2017-14265: Additional check for X-Trans CFA pattern data
 * Fix for possible heap overrun in Canon makernotes parser
    Phase One flat field code called even for half-size output
- added missing parts of the fix for CVE-2017-6887
* phase_one_correct always returns value; handle P1 return codes
  files and DNG converted by Adobe convertor).
  analysis.
* Fujifilm F700/S20Pro second frame support
        Olympus E-P5
   - Support for updated Samsung NX200 firmware.
 * Makefile.msvc: easy additional compiler flag editing.
 * Fixed decoding of some Leaf Aptus II files

OBS-URL: https://build.opensuse.org/request/show/1135525
OBS-URL: https://build.opensuse.org/package/show/graphics/libraw?expand=0&rev=159

libraw-CVE-2023-1729.patch

@@ -1,14 +0,0 @@
-diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
-index e65e2ad7..702cf290 100644
---- a/src/preprocessing/raw2image.cpp
-+++ b/src/preprocessing/raw2image.cpp
-@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
- 
-   // adjust for half mode!
-   IO.shrink =
-+	  !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
-+	  !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
-       P1.filters &&
-       (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
- 
-

libraw.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Thu Dec 28 18:09:52 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.21.2:
+  * New compile-defined limit LIBRAW_MAX_PROFILE_SIZE_MB:
+    limits allocation/read size for embedded color profile
+    Embedded color profile allocation/read size: limited by input
+    file size.
+  * Multiple fixes (mostly inspired by oss-fuzz) to improve
+    library stability and/or input checks.
+  * raw-identify: use fallback if PATH_MAX not available
+  * Disabled color conversion for Canon 16-bit thumbnails
+  * docs/changelog: explained the case when no thumbnail is found
+    in specific file
+  * swapXX renamed to libraw_swapXX to avoid name conflict
+  * better striped thumbnails handling
+- drop libraw-CVE-2023-1729.patch (upstream)
+
 -------------------------------------------------------------------
 Thu Sep 14 14:57:19 UTC 2023 - pgajdos@suse.com
 

libraw.spec

@@ -23,7 +23,7 @@
 %define lver    23
 %define lname	libraw%{lver}
 Name:           libraw
-Version:        0.21.1
+Version:        0.21.2
 Release:        0
 Summary:        Library for reading RAW files obtained from digital photo cameras
 License:        CDDL-1.0 OR LGPL-2.1-only
@@ -32,10 +32,8 @@ URL:            https://www.libraw.org/
 #Git-Clone:	git://github.com/LibRaw/LibRaw
 Source0:        https://www.libraw.org/data/%tar_name-%version.tar.gz
 Source1:        baselibs.conf
-# CVE-2023-1729 [bsc#1210720], a heap-buffer-overflow in raw2image_ex()
-Patch0:         libraw-CVE-2023-1729.patch
-# CVE-2020-22628 [bsc#1215308], stretch() function in librawsrcpostprocessingspect_ratio.cpp
-Patch1:         libraw-CVE-2020-22628.patch
+# CVE-2020-22628 [bsc#1215308], stretch() function in librawsrcpostprocessing
+Patch0:         libraw-CVE-2020-22628.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes