diff --git a/libraw-CVE-2018-5813.patch b/libraw-CVE-2018-5813.patch index fbc7a5f..9ed8475 100644 --- a/libraw-CVE-2018-5813.patch +++ b/libraw-CVE-2018-5813.patch @@ -1,42 +1,3 @@ -Index: LibRaw-0.19.0/dcraw/dcraw.c -=================================================================== ---- LibRaw-0.19.0.orig/dcraw/dcraw.c 2018-08-01 12:52:18.284642412 +0200 -+++ LibRaw-0.19.0/dcraw/dcraw.c 2018-08-01 13:14:20.831394866 +0200 -@@ -6364,17 +6364,33 @@ void CLASS apply_tiff() - - void CLASS parse_minolta (int base) - { -- int save, tag, len, offset, high=0, wide=0, i, c; -+ int tag, len, offset, high=0, wide=0, i, c; - short sorder=order; -+#ifdef LIBRAW_LIBRARY_BUILD -+ INT64 save; -+#else -+ int save; -+#endif - - fseek (ifp, base, SEEK_SET); - if (fgetc(ifp) || fgetc(ifp)-'M' || fgetc(ifp)-'R') return; - order = fgetc(ifp) * 0x101; - offset = base + get4() + 8; -+#ifdef LIBRAW_LIBRARY_BUILD -+ INT64 fsize = ifp->size(); -+ if(offset>fsize-8) // At least 8 bytes for tag/len -+ offset = fsize-8; -+#endif - while ((save=ftell(ifp)) < offset) { - for (tag=i=0; i < 4; i++) - tag = tag << 8 | fgetc(ifp); - len = get4(); -+ if(len < 0) -+ return; // just ignore wrong len?? or raise bad file exception? -+#ifdef LIBRAW_LIBRARY_BUILD -+ if((INT64)len + save + 8ULL > save) -+ return; // just ignore out of file metadata, stop parse -+#endif - switch (tag) { - case 0x505244: /* PRD */ - fseek (ifp, 8, SEEK_CUR); Index: LibRaw-0.19.0/internal/dcraw_common.cpp =================================================================== --- LibRaw-0.19.0.orig/internal/dcraw_common.cpp 2018-08-01 12:52:18.288642432 +0200 diff --git a/libraw-CVE-2018-5815.patch b/libraw-CVE-2018-5815.patch deleted file mode 100644 index bd83215..0000000 --- a/libraw-CVE-2018-5815.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: LibRaw-0.19.0/dcraw/dcraw.c -=================================================================== ---- LibRaw-0.19.0.orig/dcraw/dcraw.c 2018-08-01 13:33:31.125280841 +0200 -+++ LibRaw-0.19.0/dcraw/dcraw.c 2018-08-01 13:34:22.757544606 +0200 -@@ -6915,6 +6915,8 @@ void CLASS parse_qt (int end) - while (ftell(ifp)+7 < end) { - save = ftell(ifp); - if ((size = get4()) < 8) return; -+ if ((int)size < 0) return; // 2+GB is too much -+ if (save + size < save) return; // 32bit overflow - fread (tag, 4, 1, ifp); - if (!memcmp(tag,"moov",4) || - !memcmp(tag,"udta",4) || diff --git a/libraw.changes b/libraw.changes index ea475f5..46b7201 100644 --- a/libraw.changes +++ b/libraw.changes @@ -4,8 +4,6 @@ Wed Aug 1 11:07:43 UTC 2018 - pgajdos@suse.com - security update * CVE-2018-5813 [bsc#1103200] + libraw-CVE-2018-5813.patch - * CVE-2018-5815 [bsc#1103206] - + libraw-CVE-2018-5815.patch ------------------------------------------------------------------- Wed Aug 1 10:13:46 UTC 2018 - pgajdos@suse.com diff --git a/libraw.spec b/libraw.spec index 896030b..7863d50 100644 --- a/libraw.spec +++ b/libraw.spec @@ -29,7 +29,6 @@ Url: https://www.libraw.org/ #Git-Clone: git://github.com/LibRaw/LibRaw Source: https://www.libraw.org/data/%tar_name-%version.tar.gz Patch0: libraw-CVE-2018-5813.patch -Patch1: libraw-CVE-2018-5815.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libjasper-devel @@ -98,7 +97,6 @@ against LibRaw. LibRaw does not provide dynamic libraries. %prep %setup -qn %tar_name-%version %patch0 -p1 -%patch1 -p1 %build export CXXFLAGS="%optflags -fPIC -DUSE_ZLIB"