Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I'd like to upload a new version of libraw to oldstable/wheezy. LibRaw package in wheezy is 0.14.6-2 at the moment and it's affected by the security issue stated in CVE-2015-3885[1], as reported in #786788. Debian Security Team marked the issue as "no-DSA"[2], so no need to go through the Debian Security procedures but a simple proposed-update via the Debian Release Team. This same issue has been already fixed in unstable and testing with 0.16.2-1 revision upload and the p-u 0.16.0.9+deb8u1 on jessie (already accepted for next point release). Cherry-picking and adapting the fixing git commit used in RedHat[3], I've prepared a new libraw 0.14.6-2+deb7u1 package bundling the patch. Attached, you'll find a debdiff for it. Thanks for considering. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885 [2] https://security-tracker.debian.org/tracker/CVE-2015-3885 [3] https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7A
diff -Nru libraw-0.14.6/debian/changelog libraw-0.14.6/debian/changelog
--- libraw-0.14.6/debian/changelog 2012-05-27 12:17:21.000000000 +0200
+++ libraw-0.14.6/debian/changelog 2015-05-28 14:15:32.000000000 +0200
@@ -1,3 +1,15 @@
+libraw (0.14.6-2+deb7u1) wheezy; urgency=high
+
+ * debian/patches/: patchset updated
+ - 0001-Fix_CVE-2015-3885.patch added (Closes: #786788)
+ | Integer overflow in the ljpeg_start function
+ | in dcraw 7.00 and earlier allows remote attackers
+ | to cause a denial of service (crash) via a
+ | crafted image, which triggers a buffer overflow,
+ | related to the len variable.
+
+ -- Matteo F. Vescovi <m...@debian.org> Thu, 28 May 2015 14:15:10 +0200
+
libraw (0.14.6-2) unstable; urgency=low
* Team upload.
diff -Nru libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
--- libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch 1970-01-01
01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch 2015-05-27
21:35:09.000000000 +0200
@@ -0,0 +1,46 @@
+From: Nils Philippsen <n...@redhat.com>
+Date: Wed, 27 May 2015 21:28:03 +0200
+Subject: Fix_CVE-2015-3885
+
+Avoid overflowing array
+
+When reading raw image files containing lossless JPEG data, headers could be
+manipulated to make the signed int variable 'len' negative which specifies
+how much actual data follows. Interpreted as unsigned, this could lead to
+reading file data past the 64k boundary of the array used for storing it.
+To avoid that, make 'len' unsigned short, and bail out early if its value
+would become invalid (i.e. <= 0).
+
+Signed-off-by: Matteo F. Vescovi <m...@debian.org>
+
+Git-Dch: Short
+---
+ dcraw/dcraw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 9985f41..14ee66a 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -787,7 +787,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+@@ -798,8 +799,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ do {
+ fread (data, 2, 2, ifp);
+ tag = data[0] << 8 | data[1];
+- len = (data[2] << 8 | data[3]) - 2;
+- if (tag <= 0xff00) return 0;
++ len = (data[2] << 8 | data[3]);
++ if (tag <= 0xff00 || len <= 2) return 0;
++ len -= 2;
+ fread (data, 1, len, ifp);
+ switch (tag) {
+ case 0xffc3:
diff -Nru libraw-0.14.6/debian/patches/series
libraw-0.14.6/debian/patches/series
--- libraw-0.14.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/series 2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_CVE-2015-3885.patch
signature.asc
Description: Digital signature
