import Oracle_OSS LibRaw-0.21.1-2.el9_7

2026-04-29 01:18:01 -04:00 · 2026-04-29 01:18:01 -04:00 · 04c8d7cf12
commit 04c8d7cf12
parent 41fa69f6a6
3 changed files with 101 additions and 1 deletions
--- a/SOURCES/LibRaw-CVE-2026-21413-TALOS-2026-2331.patch
+++ b/SOURCES/LibRaw-CVE-2026-21413-TALOS-2026-2331.patch
@ -0,0 +1,34 @@
+From c5b64f3fc63ca709da87d33086c3c85e993c4f54 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 28 Feb 2026 18:26:53 +0300
+Subject: [PATCH] Fix for TALOS-2026-2331
+
+(cherry picked from commit 75ed2c12a35b765b3b6ad695cc1f044f19efe644)
+---
+ src/decoders/decoders_dcraw.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/decoders/decoders_dcraw.cpp b/src/decoders/decoders_dcraw.cpp
+index 721d385777ad..2164664dd477 100644
+--- a/src/decoders/decoders_dcraw.cpp
+++ b/src/decoders/decoders_dcraw.cpp
+@@ -560,6 +560,7 @@ void LibRaw::lossless_jpeg_load_raw()
+   if (jh.clrs == 4 && jwide >= raw_width * 2)
+     jhigh *= 2;
+ 
+  
+   try
+   {
+     for (jrow = 0; jrow < jh.high; jrow++)
+@@ -585,7 +586,7 @@ void LibRaw::lossless_jpeg_load_raw()
+           col += (row--, raw_width);
+         if (row > raw_height)
+           throw LIBRAW_EXCEPTION_IO_CORRUPT;
+-        if ((unsigned)row < raw_height)
+        if (((unsigned)row < raw_height) && ((unsigned)col < raw_width))
+           RAW(row, col) = val;
+         if (++col >= raw_width)
+           col = (row++, 0);
+-- 
+2.53.0
+
--- a/SOURCES/LibRaw-CVE-2026-24450-TALOS-2026-2363.patch
+++ b/SOURCES/LibRaw-CVE-2026-24450-TALOS-2026-2363.patch
@ -0,0 +1,56 @@
+From 61e1ea762cf30afc3d7cc6252e231f8318492e21 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Thu, 12 Mar 2026 20:34:53 +0300
+Subject: [PATCH] Fix for TALOS-2026-2363: avoid integer overflow in allocation
+ size calculation. Also: check for EOF in read loop
+
+(cherry picked from commit c911c9b9edffa5fab99f828d0fee6dd2d0f6105f)
+---
+ src/decoders/fp_dng.cpp | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/fp_dng.cpp b/src/decoders/fp_dng.cpp
+index 0566ad2ca648..5f0d25f5688c 100644
+--- a/src/decoders/fp_dng.cpp
+++ b/src/decoders/fp_dng.cpp
+@@ -611,12 +611,17 @@ void LibRaw::uncompressed_fp_dng_load_raw()
+     tiles.init(ifd, imgdata.sizes, libraw_internal_data.unpacker_data, libraw_internal_data.unpacker_data.order,
+         libraw_internal_data.internal_data.input);
+ 
+	// Max bytes: 2^16 raw width * 2^2 bytes/pixel * 2^2 channels = 2^20, so check against 2^22
+	INT64 rowbytes = INT64(MAX(tiles.tileWidth, imgdata.sizes.raw_width)) * INT64(MAX(bytesps,4)) * INT64(ifd->samples);
+	if(rowbytes > (1LL << 22))
+      throw LIBRAW_EXCEPTION_TOOBIG;
+
+ 	INT64 allocsz = INT64(tiles.tileCnt) * INT64(tiles.tileWidth) * INT64(tiles.tileHeight) * INT64(ifd->samples) * INT64(sizeof(float));
+ 	if (allocsz > INT64(imgdata.rawparams.max_raw_memory_mb) * INT64(1024 * 1024))
+ 		throw LIBRAW_EXCEPTION_TOOBIG;
+ 
+     if (ifd->sample_format == 3)
+-        float_raw_image = (float *)calloc(tiles.tileCnt * tiles.tileWidth * tiles.tileHeight *ifd->samples, sizeof(float));
+        float_raw_image = (float *)calloc(allocsz,1);
+     else
+         throw LIBRAW_EXCEPTION_DECODE_RAW; // Only float supported
+ 
+@@ -633,6 +638,7 @@ void LibRaw::uncompressed_fp_dng_load_raw()
+             size_t rowsInTile = y + tiles.tileHeight > imgdata.sizes.raw_height ? imgdata.sizes.raw_height - y : tiles.tileHeight;
+             size_t colsInTile = x + tiles.tileWidth > imgdata.sizes.raw_width ? imgdata.sizes.raw_width - x : tiles.tileWidth;
+ 
+			// inrowbytes is less then 2^22 (see above) so conversion to int is safe
+             size_t inrowbytes = colsInTile * bytesps * ifd->samples;
+             int fullrowbytes = tiles.tileWidth *bytesps * ifd->samples;
+             size_t outrowbytes = colsInTile * sizeof(float) * ifd->samples;
+@@ -642,7 +648,9 @@ void LibRaw::uncompressed_fp_dng_load_raw()
+                 unsigned char *dst = fullrowbytes > inrowbytes ? rowbuf.data(): // last tile in row, use buffer
+                     (unsigned char *)&float_raw_image
+                     [((y + row) * imgdata.sizes.raw_width + x) * ifd->samples];
+-                libraw_internal_data.internal_data.input->read(dst, 1, fullrowbytes);
+                int bytesread = libraw_internal_data.internal_data.input->read(dst, 1, fullrowbytes);
+				if (bytesread < fullrowbytes)
+					derror();
+                 if (bytesps == 2 && difford)
+                     libraw_swab(dst, fullrowbytes);
+                 else if (bytesps == 3 && (libraw_internal_data.unpacker_data.order == 0x4949)) // II-16bit
+-- 
+2.53.0
+
--- a/SPECS/LibRaw.spec
+++ b/SPECS/LibRaw.spec
@ -7,7 +7,7 @@
 Summary: Library for reading RAW files obtained from digital photo cameras
 Name: LibRaw
 Version: 0.21.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD and LGPLv2
 URL: http://www.libraw.org

@ -25,6 +25,12 @@ Patch0: LibRaw-pkgconfig.patch
 # CVE-2023-1729
 Patch1: 9ab70f6dca19229cb5caad7cc31af4e7501bac93.patch

+# https://redhat.atlassian.net/browse/RHEL-165456
+Patch2: LibRaw-CVE-2026-21413-TALOS-2026-2331.patch
+
+# https://redhat.atlassian.net/browse/RHEL-165373
+Patch3: LibRaw-CVE-2026-24450-TALOS-2026-2363.patch
+
 Provides: bundled(dcraw) = 9.25

 %description
@ -119,6 +125,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la


 %changelog
+* Mon Apr 27 2026 Debarshi Ray <rishi@fedoraproject.org> - 0.21.1-2
+- Fix CVE-2026-21413 and CVE-2026-24450
+Resolves: RHEL-165373, RHEL-165456
+
 * Mon Oct 02 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.21.1-1
 - 0.21.1
 - Include the fix for CVE-2023-1729 from Fedora