Your message dated Tue, 23 May 2023 10:40:25 +0000
with message-id <e1q1prj-00c5jg...@respighi.debian.org>
and subject line unblock libraw
has caused the Debian Bug report #1036560,
regarding unblock: libraw/0.20.2-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036560: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lib...@packages.debian.org, car...@debian.org
Control: affects -1 + src:libraw
Hi release team,
Please unblock package libraw
[ Reason ]
Fixing two CVEs CVE-2021-32142 (would be no-dsa considered), and
CVE-2023-1729. As we do plan to release a DSA for bullseye-security it
is wise to have the fixes as well in the upper suite.
[ Impact ]
libraw in bookworm affected by CVE-2021-32142 and CVE-2023-1729 until
the bookworm point releases or security update.
[ Tests ]
None specifically, autopkgtest with smoketest passes.
[ Risks ]
Two isolated fixes whith low risk I believe.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None
unblock libraw/0.20.2-2.1
Regards,
Salvatore
diff -Nru libraw-0.20.2/debian/changelog libraw-0.20.2/debian/changelog
--- libraw-0.20.2/debian/changelog 2021-09-11 16:56:07.000000000 +0200
+++ libraw-0.20.2/debian/changelog 2023-05-20 21:44:42.000000000 +0200
@@ -1,3 +1,13 @@
+libraw (0.20.2-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * check for input buffer size on datastream::gets (CVE-2021-32142)
+ (Closes: #1031790)
+ * do not set shrink flag for 3/4 component images (CVE-2023-1729)
+ (Closes: #1036281)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 20 May 2023 21:44:42 +0200
+
libraw (0.20.2-2) unstable; urgency=medium
* debian/watch: bump version 3 -> 4
diff -Nru
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
---
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
1970-01-01 01:00:00.000000000 +0100
+++
libraw-0.20.2/debian/patches/check-for-input-buffer-size-on-datastream-gets.patch
2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,43 @@
+From: Alex Tutubalin <l...@lexa.ru>
+Date: Mon, 12 Apr 2021 13:21:52 +0300
+Subject: check for input buffer size on datastream::gets
+Origin:
https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
+Bug: https://github.com/LibRaw/LibRaw/issues/400
+Bug-Debian: https://bugs.debian.org/1031790
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32142
+
+---
+ src/libraw_datastream.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libraw_datastream.cpp b/src/libraw_datastream.cpp
+index a5c1a84a3a8c..a31ae9dd84db 100644
+--- a/src/libraw_datastream.cpp
++++ b/src/libraw_datastream.cpp
+@@ -287,6 +287,7 @@ INT64 LibRaw_file_datastream::tell()
+
+ char *LibRaw_file_datastream::gets(char *str, int sz)
+ {
++ if(sz<1) return NULL;
+ LR_STREAM_CHK();
+ std::istream is(f.get());
+ is.getline(str, sz);
+@@ -421,6 +422,7 @@ INT64 LibRaw_buffer_datastream::tell()
+
+ char *LibRaw_buffer_datastream::gets(char *s, int sz)
+ {
++ if(sz<1) return NULL;
+ unsigned char *psrc, *pdest, *str;
+ str = (unsigned char *)s;
+ psrc = buf + streampos;
+@@ -618,6 +620,7 @@ INT64 LibRaw_bigfile_datastream::tell()
+
+ char *LibRaw_bigfile_datastream::gets(char *str, int sz)
+ {
++ if(sz<1) return NULL;
+ LR_BF_CHK();
+ return fgets(str, sz, f);
+ }
+--
+2.40.1
+
diff -Nru
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
---
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
1970-01-01 01:00:00.000000000 +0100
+++
libraw-0.20.2/debian/patches/do-not-set-shrink-flag-for-3-4-component-images.patch
2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,28 @@
+From: Alex Tutubalin <l...@lexa.ru>
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: do not set shrink flag for 3/4 component images
+Origin:
https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828
+Bug: https://github.com/LibRaw/LibRaw/issues/557
+Bug-Debian: https://bugs.debian.org/1036281
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1729
+
+---
+ src/preprocessing/raw2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
+index e65e2ad73b4a..702cf290213c 100644
+--- a/src/preprocessing/raw2image.cpp
++++ b/src/preprocessing/raw2image.cpp
+@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
+
+ // adjust for half mode!
+ IO.shrink =
++ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
++ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
+ P1.filters &&
+ (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
+
+--
+2.40.1
+
diff -Nru libraw-0.20.2/debian/patches/series
libraw-0.20.2/debian/patches/series
--- libraw-0.20.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.20.2/debian/patches/series 2023-05-20 21:44:42.000000000 +0200
@@ -0,0 +1,2 @@
+check-for-input-buffer-size-on-datastream-gets.patch
+do-not-set-shrink-flag-for-3-4-component-images.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
