Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #787403,
regarding wheezy-pu: package libraw/0.14.6-2+deb7u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
787403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787403
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Dear Release Team,
I'd like to upload a new version of libraw to oldstable/wheezy.
LibRaw package in wheezy is 0.14.6-2 at the moment and it's affected by the
security issue stated in CVE-2015-3885[1], as reported in #786788.
Debian Security Team marked the issue as "no-DSA"[2], so no need to go
through the Debian Security procedures but a simple proposed-update via the
Debian Release Team.
This same issue has been already fixed in unstable and testing with 0.16.2-1
revision upload and the p-u 0.16.0.9+deb8u1 on jessie (already accepted for
next point release).
Cherry-picking and adapting the fixing git commit used in RedHat[3], I've
prepared a new libraw 0.14.6-2+deb7u1 package bundling the patch.
Attached, you'll find a debdiff for it.
Thanks for considering.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
[2] https://security-tracker.debian.org/tracker/CVE-2015-3885
[3] https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff
-- System Information:
Debian Release: stretch/sid
APT prefers buildd-unstable
APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Matteo F. Vescovi || Debian Developer
GnuPG KeyID: 4096R/0x8062398983B2CF7A
diff -Nru libraw-0.14.6/debian/changelog libraw-0.14.6/debian/changelog
--- libraw-0.14.6/debian/changelog 2012-05-27 12:17:21.000000000 +0200
+++ libraw-0.14.6/debian/changelog 2015-05-28 14:15:32.000000000 +0200
@@ -1,3 +1,15 @@
+libraw (0.14.6-2+deb7u1) wheezy; urgency=high
+
+ * debian/patches/: patchset updated
+ - 0001-Fix_CVE-2015-3885.patch added (Closes: #786788)
+ | Integer overflow in the ljpeg_start function
+ | in dcraw 7.00 and earlier allows remote attackers
+ | to cause a denial of service (crash) via a
+ | crafted image, which triggers a buffer overflow,
+ | related to the len variable.
+
+ -- Matteo F. Vescovi <m...@debian.org> Thu, 28 May 2015 14:15:10 +0200
+
libraw (0.14.6-2) unstable; urgency=low
* Team upload.
diff -Nru libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch
--- libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch 1970-01-01
01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/0001-Fix_CVE-2015-3885.patch 2015-05-27
21:35:09.000000000 +0200
@@ -0,0 +1,46 @@
+From: Nils Philippsen <n...@redhat.com>
+Date: Wed, 27 May 2015 21:28:03 +0200
+Subject: Fix_CVE-2015-3885
+
+Avoid overflowing array
+
+When reading raw image files containing lossless JPEG data, headers could be
+manipulated to make the signed int variable 'len' negative which specifies
+how much actual data follows. Interpreted as unsigned, this could lead to
+reading file data past the 64k boundary of the array used for storing it.
+To avoid that, make 'len' unsigned short, and bail out early if its value
+would become invalid (i.e. <= 0).
+
+Signed-off-by: Matteo F. Vescovi <m...@debian.org>
+
+Git-Dch: Short
+---
+ dcraw/dcraw.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 9985f41..14ee66a 100644
+--- a/dcraw/dcraw.c
++++ b/dcraw/dcraw.c
+@@ -787,7 +787,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+- int c, tag, len;
++ int c, tag;
++ ushort len;
+ uchar data[0x10000];
+ const uchar *dp;
+
+@@ -798,8 +799,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ do {
+ fread (data, 2, 2, ifp);
+ tag = data[0] << 8 | data[1];
+- len = (data[2] << 8 | data[3]) - 2;
+- if (tag <= 0xff00) return 0;
++ len = (data[2] << 8 | data[3]);
++ if (tag <= 0xff00 || len <= 2) return 0;
++ len -= 2;
+ fread (data, 1, len, ifp);
+ switch (tag) {
+ case 0xffc3:
diff -Nru libraw-0.14.6/debian/patches/series
libraw-0.14.6/debian/patches/series
--- libraw-0.14.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libraw-0.14.6/debian/patches/series 2015-05-27 21:35:09.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix_CVE-2015-3885.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
