Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, rawtherapee is affected by the security issue CVE-2015-8366[1]. It's marked no- dsa that's why I want to coordinate the update with you. I attached the debdiff. Best, Philip [1] https://security-tracker.debian.org/tracker/CVE-2015-8366
diff --git a/debian/changelog b/debian/changelog index bbfd8e2..288c1b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +rawtherapee (4.2-1+deb8u2) jessie; urgency=high + + * Add patch debian/patches/03-fix-overflow-in-dcraw.patch: + - Fix buffer overflow in dcraw (CVE-2015-8366) + + -- Philip Rinn <ri...@inventati.org> Thu, 06 Oct 2016 12:36:00 +0200 + rawtherapee (4.2-1+deb8u1) jessie; urgency=high * Add patch debian/patches/02-fix_CVE-2015-3885.patch: diff --git a/debian/patches/03-fix-overflow-in-dcraw.patch b/debian/patches/03-fix-overflow-in-dcraw.patch new file mode 100644 index 0000000..6f9a282 --- /dev/null +++ b/debian/patches/03-fix-overflow-in-dcraw.patch @@ -0,0 +1,18 @@ +Author: Hubert Chathi <uho...@debian.org> +Description: Fix buffer overflow in dcraw (CVE-2015-8366) +Origin: https://vcs.uhoreg.ca/git/cgit/debpkg-ufraw/commit/?id=54688b5896b39003becdfee3c803c58c94f14df3 +Last-update: 2016-10-06 +--- a/rtengine/dcraw.cc ++++ b/rtengine/dcraw.cc +@@ -3221,7 +3221,10 @@ + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= seg[1][1]) + diff = 0; +- raw_image[pix] = pred[pix & 1] += diff; ++ if(pix>=raw_width*raw_height) ++ derror(); ++ else ++ raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } + maximum = 0xff; diff --git a/debian/patches/series b/debian/patches/series index abb467d..4aa855a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 01-fix_build_race-condition.patch 02-fix_CVE-2015-3885.patch +03-fix-overflow-in-dcraw.patch
