Accepting request 969894 from graphics

Miscellaneous security fixes + bring back jasper that survived clinical death

OBS-URL: https://build.opensuse.org/request/show/969894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dcraw?expand=0&rev=39

dcraw-CVE-2021-3624.patch

@@ -0,0 +1,17 @@
+--- dcraw/dcraw.c	2022-04-12 14:29:23.791896447 +0200
++++ dcraw/dcraw.c	2022-04-12 14:59:50.767180929 +0200
+@@ -3289,7 +3289,13 @@
+     }
+   } else if (type == 4) {
+     free (meta_data);
+-    meta_data = (char *) malloc (meta_length = wide*high*3/2);
++    meta_data = NULL;
++    meta_length =  wide*high*3/2;
++    if (meta_length/wide != high*3/2) {
++        fprintf(stderr, "Potential buffer overflow (meta_length %u, wide %u, high %u). Bailing out...\n", meta_length, wide, high);
++        longjmp(failure, 2);
++    }
++    meta_data = (char *) malloc (meta_length);
+     merror (meta_data, "foveon_load_camf()");
+     foveon_huff (huff);
+     get4();

dcraw.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Apr 12 11:30:56 UTC 2022 - Fridrich Strba <fstrba@suse.com>
+
+- Added patches:
+  * iowrappers.patch
+    + Written wrappers of fread(),fwrite(),fseek() library functions
+      which check their return values. If an input/output failure is
+      detected, dcraw immediately exits with non-zero status and
+      prints a descriptive message (bsc#1097973, CVE-2018-5805;
+      bsc#1097974, CVE-2018-5806; bsc#1117622, CVE-2018-19565;
+      bsc#1117517, CVE-2018-19566; bsc#1117512, CVE-2018-19567;
+      bsc#1117436, CVE-2018-19568)
+  * dcraw-CVE-2021-3624.patch
+    + Bail out if integer overflow happened and the allocated buffer
+      would be too small (bsc#1189642, CVE-2021-3624)
+
 -------------------------------------------------------------------
 Sun Aug 16 22:39:47 UTC 2020 - Matthias Eliasson <elimat@opensuse.org>
 
@@ -13,12 +29,6 @@ Sun Aug 16 22:39:47 UTC 2020 - Matthias Eliasson <elimat@opensuse.org>
 - Run spec-cleaner
   * Remove package groups
 
--------------------------------------------------------------------
-Mon Jul 22 08:18:01 UTC 2019 - mvetter@suse.com
-
-- bsc#1142308: Drop dependency on libjasper
-  Thus removing support for decoding RED camera movies
-
 -------------------------------------------------------------------
 Fri Aug  5 22:12:55 UTC 2016 - asterios.dramis@gmail.com
 

dcraw.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dcraw
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -45,7 +45,10 @@ Patch2:         dcraw-CVE-2017-14608.patch
 Patch3:         dcraw-CVE-2018-19655.patch
 # PATCH-FIX-UPSTREAM dcraw-CVE-2018-5801.patch
 Patch4:         dcraw-CVE-2018-5801.patch
+Patch5:         iowrappers.patch
+Patch6:         dcraw-CVE-2021-3624.patch
 BuildRequires:  gettext-runtime
+BuildRequires:  libjasper-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  liblcms2-devel
 Recommends:     %{name}-lang = %{version}
@@ -63,6 +66,8 @@ cp -a %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} .
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 %build
 export CFLAGS="%{optflags} -fno-strict-aliasing -fstack-protector-all"
@@ -71,12 +76,12 @@ for file in *.c ; do
   LDFLAGS=
   OTHERFLAGS=
   if test $file = dcraw.c ; then
-    LDFLAGS="-lm -ljpeg -llcms2 -DLOCALEDIR=\""%{_datadir}/locale"\""
+    LDFLAGS="-lm -ljasper -ljpeg -llcms2 -DLOCALEDIR=\""%{_datadir}/locale"\""
   fi
   if test $file = fuji_green.c ; then
     LDFLAGS="-lm"
   fi
-  gcc $CFLAGS $OTHERFLAGS -o ${file%.c} $file $LDFLAGS -DNO_JASPER
+  gcc $CFLAGS $OTHERFLAGS -o ${file%.c} $file $LDFLAGS
 done
 # Compile with -D_16BIT to rotate 48-bit PPM images
 gcc $CFLAGS -D_16BIT -o fujiturn16 fujiturn.c