diff --git a/SOURCES/LibRaw-CVE-2026-21413-TALOS-2026-2331.patch b/SOURCES/LibRaw-CVE-2026-21413-TALOS-2026-2331.patch new file mode 100644 index 0000000..7e61af5 --- /dev/null +++ b/SOURCES/LibRaw-CVE-2026-21413-TALOS-2026-2331.patch @@ -0,0 +1,34 @@ +From c5b64f3fc63ca709da87d33086c3c85e993c4f54 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 28 Feb 2026 18:26:53 +0300 +Subject: [PATCH] Fix for TALOS-2026-2331 + +(cherry picked from commit 75ed2c12a35b765b3b6ad695cc1f044f19efe644) +--- + src/decoders/decoders_dcraw.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/decoders/decoders_dcraw.cpp b/src/decoders/decoders_dcraw.cpp +index 721d385777ad..2164664dd477 100644 +--- a/src/decoders/decoders_dcraw.cpp ++++ b/src/decoders/decoders_dcraw.cpp +@@ -560,6 +560,7 @@ void LibRaw::lossless_jpeg_load_raw() + if (jh.clrs == 4 && jwide >= raw_width * 2) + jhigh *= 2; + ++ + try + { + for (jrow = 0; jrow < jh.high; jrow++) +@@ -585,7 +586,7 @@ void LibRaw::lossless_jpeg_load_raw() + col += (row--, raw_width); + if (row > raw_height) + throw LIBRAW_EXCEPTION_IO_CORRUPT; +- if ((unsigned)row < raw_height) ++ if (((unsigned)row < raw_height) && ((unsigned)col < raw_width)) + RAW(row, col) = val; + if (++col >= raw_width) + col = (row++, 0); +-- +2.53.0 + diff --git a/SOURCES/LibRaw-CVE-2026-24450-TALOS-2026-2363.patch b/SOURCES/LibRaw-CVE-2026-24450-TALOS-2026-2363.patch new file mode 100644 index 0000000..f434c95 --- /dev/null +++ b/SOURCES/LibRaw-CVE-2026-24450-TALOS-2026-2363.patch @@ -0,0 +1,56 @@ +From 61e1ea762cf30afc3d7cc6252e231f8318492e21 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Thu, 12 Mar 2026 20:34:53 +0300 +Subject: [PATCH] Fix for TALOS-2026-2363: avoid integer overflow in allocation + size calculation. Also: check for EOF in read loop + +(cherry picked from commit c911c9b9edffa5fab99f828d0fee6dd2d0f6105f) +--- + src/decoders/fp_dng.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/decoders/fp_dng.cpp b/src/decoders/fp_dng.cpp +index 0566ad2ca648..5f0d25f5688c 100644 +--- a/src/decoders/fp_dng.cpp ++++ b/src/decoders/fp_dng.cpp +@@ -611,12 +611,17 @@ void LibRaw::uncompressed_fp_dng_load_raw() + tiles.init(ifd, imgdata.sizes, libraw_internal_data.unpacker_data, libraw_internal_data.unpacker_data.order, + libraw_internal_data.internal_data.input); + ++ // Max bytes: 2^16 raw width * 2^2 bytes/pixel * 2^2 channels = 2^20, so check against 2^22 ++ INT64 rowbytes = INT64(MAX(tiles.tileWidth, imgdata.sizes.raw_width)) * INT64(MAX(bytesps,4)) * INT64(ifd->samples); ++ if(rowbytes > (1LL << 22)) ++ throw LIBRAW_EXCEPTION_TOOBIG; ++ + INT64 allocsz = INT64(tiles.tileCnt) * INT64(tiles.tileWidth) * INT64(tiles.tileHeight) * INT64(ifd->samples) * INT64(sizeof(float)); + if (allocsz > INT64(imgdata.rawparams.max_raw_memory_mb) * INT64(1024 * 1024)) + throw LIBRAW_EXCEPTION_TOOBIG; + + if (ifd->sample_format == 3) +- float_raw_image = (float *)calloc(tiles.tileCnt * tiles.tileWidth * tiles.tileHeight *ifd->samples, sizeof(float)); ++ float_raw_image = (float *)calloc(allocsz,1); + else + throw LIBRAW_EXCEPTION_DECODE_RAW; // Only float supported + +@@ -633,6 +638,7 @@ void LibRaw::uncompressed_fp_dng_load_raw() + size_t rowsInTile = y + tiles.tileHeight > imgdata.sizes.raw_height ? imgdata.sizes.raw_height - y : tiles.tileHeight; + size_t colsInTile = x + tiles.tileWidth > imgdata.sizes.raw_width ? imgdata.sizes.raw_width - x : tiles.tileWidth; + ++ // inrowbytes is less then 2^22 (see above) so conversion to int is safe + size_t inrowbytes = colsInTile * bytesps * ifd->samples; + int fullrowbytes = tiles.tileWidth *bytesps * ifd->samples; + size_t outrowbytes = colsInTile * sizeof(float) * ifd->samples; +@@ -642,7 +648,9 @@ void LibRaw::uncompressed_fp_dng_load_raw() + unsigned char *dst = fullrowbytes > inrowbytes ? rowbuf.data(): // last tile in row, use buffer + (unsigned char *)&float_raw_image + [((y + row) * imgdata.sizes.raw_width + x) * ifd->samples]; +- libraw_internal_data.internal_data.input->read(dst, 1, fullrowbytes); ++ int bytesread = libraw_internal_data.internal_data.input->read(dst, 1, fullrowbytes); ++ if (bytesread < fullrowbytes) ++ derror(); + if (bytesps == 2 && difford) + libraw_swab(dst, fullrowbytes); + else if (bytesps == 3 && (libraw_internal_data.unpacker_data.order == 0x4949)) // II-16bit +-- +2.53.0 + diff --git a/SPECS/LibRaw.spec b/SPECS/LibRaw.spec index 9a71bee..486b63a 100644 --- a/SPECS/LibRaw.spec +++ b/SPECS/LibRaw.spec @@ -7,7 +7,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.21.1 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and LGPLv2 URL: http://www.libraw.org @@ -25,6 +25,12 @@ Patch0: LibRaw-pkgconfig.patch # CVE-2023-1729 Patch1: 9ab70f6dca19229cb5caad7cc31af4e7501bac93.patch +# https://redhat.atlassian.net/browse/RHEL-165456 +Patch2: LibRaw-CVE-2026-21413-TALOS-2026-2331.patch + +# https://redhat.atlassian.net/browse/RHEL-165373 +Patch3: LibRaw-CVE-2026-24450-TALOS-2026-2363.patch + Provides: bundled(dcraw) = 9.25 %description @@ -119,6 +125,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la %changelog +* Mon Apr 27 2026 Debarshi Ray - 0.21.1-2 +- Fix CVE-2026-21413 and CVE-2026-24450 +Resolves: RHEL-165373, RHEL-165456 + * Mon Oct 02 2023 Debarshi Ray - 0.21.1-1 - 0.21.1 - Include the fix for CVE-2023-1729 from Fedora