From 3a24defb0f0b46d7f4003fe8e6c91d99159f99d1 Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Mon, 29 Jun 2020 13:27:05 -0500 Subject: [PATCH] Patch for CVE-2020-15365 --- ...a0c08974b8b79ebfa7762b555a1704b25fb2.patch | 54 +++++++++++++++++++ LibRaw.spec | 6 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 55f0a0c08974b8b79ebfa7762b555a1704b25fb2.patch diff --git a/55f0a0c08974b8b79ebfa7762b555a1704b25fb2.patch b/55f0a0c08974b8b79ebfa7762b555a1704b25fb2.patch new file mode 100644 index 0000000..816ce48 --- /dev/null +++ b/55f0a0c08974b8b79ebfa7762b555a1704b25fb2.patch @@ -0,0 +1,54 @@ +From 55f0a0c08974b8b79ebfa7762b555a1704b25fb2 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Tue, 16 Jun 2020 13:17:00 +0300 +Subject: [PATCH] possible buffer underrun in exif parser + +--- + src/metadata/cr3_parser.cpp | 2 +- + src/metadata/exif_gps.cpp | 13 +++++++++---- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/metadata/cr3_parser.cpp b/src/metadata/cr3_parser.cpp +index 33983e62..ee209bf3 100644 +--- a/src/metadata/cr3_parser.cpp ++++ b/src/metadata/cr3_parser.cpp +@@ -83,7 +83,7 @@ void LibRaw::selectCRXTrack(short maxTrack) + + int tiff_idx = -1; + INT64 tpixels = 0; +- for (int i = 0; i < tiff_nifds; i++) ++ for (int i = 0; i < tiff_nifds && i < LIBRAW_IFD_MAXCOUNT; i++) + if (INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height) > tpixels) + { + tpixels = INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height); +diff --git a/src/metadata/exif_gps.cpp b/src/metadata/exif_gps.cpp +index 6fbe1f32..98327969 100644 +--- a/src/metadata/exif_gps.cpp ++++ b/src/metadata/exif_gps.cpp +@@ -164,7 +164,9 @@ void LibRaw::parse_exif(int base) + imgdata.lens.EXIF_MaxAp = libraw_powf64l(2.0f, (getreal(type) / 2.0f)); + break; + case 0x829a: // 33434 +- tiff_ifd[tiff_nifds - 1].t_shutter = shutter = getreal(type); ++ shutter = getreal(type); ++ if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT) ++ tiff_ifd[tiff_nifds - 1].t_shutter = shutter; + break; + case 0x829d: // 33437, FNumber + aperture = getreal(type); +@@ -186,9 +188,12 @@ void LibRaw::parse_exif(int base) + get_timestamp(0); + break; + case 0x9201: // 37377 +- if ((expo = -getreal(type)) < 128 && shutter == 0.) +- tiff_ifd[tiff_nifds - 1].t_shutter = shutter = +- libraw_powf64l(2.0, expo); ++ if ((expo = -getreal(type)) < 128 && shutter == 0.) ++ { ++ shutter = libraw_powf64l(2.0, expo); ++ if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT) ++ tiff_ifd[tiff_nifds - 1].t_shutter = shutter; ++ } + break; + case 0x9202: // 37378 ApertureValue + if ((fabs(ape = getreal(type)) < 256.0) && (!aperture)) diff --git a/LibRaw.spec b/LibRaw.spec index 42e56d8..653a5a1 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -7,7 +7,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.20 -Release: 0.beta1%{?dist}.1 +Release: 0.beta1%{?dist}.2 License: BSD and (CDDL or LGPLv2) URL: http://www.libraw.org @@ -20,6 +20,7 @@ BuildRequires: autoconf automake libtool #Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz Source0: http://github.com/LibRaw/LibRaw/archive/%{version}-Beta1.tar.gz Patch0: LibRaw-pkgconfig.patch +Patch1: 55f0a0c08974b8b79ebfa7762b555a1704b25fb2.patch Provides: bundled(dcraw) = 9.25 %description @@ -116,6 +117,9 @@ rm -fv %{buildroot}%{_libdir}/lib*.la %changelog +* Mon Jun 29 2020 Gwyn Ciesla - 0.20-.beta1.2 +- Patch for CVE-2020-15365 + * Wed May 13 2020 Kalev Lember - 0.20-0.beta1.1 - Add back pkgconfig patch lost in the previous commit