Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: lib...@packages.debian.org, car...@debian.org Control: affects -1 + src:libraw
Hi release team, Please unblock package libraw [ Reason ] Fixing two CVEs CVE-2021-32142 (would be no-dsa considered), and CVE-2023-1729. As we do plan to release a DSA for bullseye-security it is wise to have the fixes as well in the upper suite. [ Impact ] libraw in bookworm affected by CVE-2021-32142 and CVE-2023-1729 until the bookworm point releases or security update. [ Tests ] None specifically, autopkgtest with smoketest passes. [ Risks ] Two isolated fixes whith low risk I believe. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] None unblock libraw/0.20.2-2.1 Regards, Salvatore
diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog --- libraw-0.20.2/debian/changelog 2021-09-11 16:56:07.000000000 +0200 +++ libraw-0.20.2/debian/changelog 2023-05-20 21:44:42.000000000 +0200 @@ -1,3 +1,13 @@ +libraw (0.20.2-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * check for input buffer size on datastream::gets (CVE-2021-32142) + (Closes: #1031790) + * do not set shrink flag for 3/4 component images (CVE-2023-1729) + (Closes: #1036281) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 20 May 2023 21:44:42 +0200 + libraw (0.20.2-2) unstable; urgency=medium * debian/watch: bump version 3 -> 4 diff -Nru libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch --- libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch 2023-05-20 21:44:42.000000000 +0200 @@ -0,0 +1,43 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Mon, 12 Apr 2021 13:21:52 +0300 +Subject: check for input buffer size on datastream::gets +Origin: https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49 +Bug: https://github.com/LibRaw/LibRaw/issues/400 +Bug-Debian: https://bugs.debian.org/1031790 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32142 + +--- + src/libraw_datastream.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp +index a5c1a84a3a8c..a31ae9dd84db 100644 +--- a/src/libraw_datastream.cpp ++++ b/src/libraw_datastream.cpp +@@ -287,6 +287,7 @@ INT64 LibRaw_file_datastream::tell() + + char *LibRaw_file_datastream::gets(char *str, int sz) + { ++ if(sz<1) return NULL; + LR_STREAM_CHK(); + std::istream is(f.get()); + is.getline(str, sz); +@@ -421,6 +422,7 @@ INT64 LibRaw_buffer_datastream::tell() + + char *LibRaw_buffer_datastream::gets(char *s, int sz) + { ++ if(sz<1) return NULL; + unsigned char *psrc, *pdest, *str; + str = (unsigned char *)s; + psrc = buf + streampos; +@@ -618,6 +620,7 @@ INT64 LibRaw_bigfile_datastream::tell() + + char *LibRaw_bigfile_datastream::gets(char *str, int sz) + { ++ if(sz<1) return NULL; + LR_BF_CHK(); + return fgets(str, sz, f); + } +-- +2.40.1 + diff -Nru libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch --- libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch 2023-05-20 21:44:42.000000000 +0200 @@ -0,0 +1,28 @@ +From: Alex Tutubalin <l...@lexa.ru> +Date: Sat, 14 Jan 2023 18:32:59 +0300 +Subject: do not set shrink flag for 3/4 component images +Origin: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 +Bug: https://github.com/LibRaw/LibRaw/issues/557 +Bug-Debian: https://bugs.debian.org/1036281 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1729 + +--- + src/preprocessing/raw2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp +index e65e2ad73b4a..702cf290213c 100644 +--- a/src/preprocessing/raw2image.cpp ++++ b/src/preprocessing/raw2image.cpp +@@ -43,6 +43,8 @@ void LibRaw::raw2image_start() + + // adjust for half mode! + IO.shrink = ++ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image && ++ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image && + P1.filters && + (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1))); + +-- +2.40.1 + diff -Nru libraw-0.20.2/debian/patches/series libraw-0.20.2/debian/patches/series --- libraw-0.20.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libraw-0.20.2/debian/patches/series 2023-05-20 21:44:42.000000000 +0200 @@ -0,0 +1,2 @@ +check-for-input-buffer-size-on-datastream-gets.patch +do-not-set-shrink-flag-for-3-4-component-images.patch
