From 3fbdcce34babfa03225c8543294855254c10cc14 Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Fri, 15 Sep 2017 09:28:31 -0500 Subject: [PATCH] CVE-2017-14348 --- LibRaw.spec | 9 ++- ...8f6d1e987b7491182040a188c16a395f1d21.patch | 70 +++++++++++++++++++ 2 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 d13e8f6d1e987b7491182040a188c16a395f1d21.patch diff --git a/LibRaw.spec b/LibRaw.spec index 66dd8d5..27c3793 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -1,7 +1,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.18.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ Group: Development/Libraries URL: http://www.libraw.org @@ -14,7 +14,7 @@ Source1: http://www.libraw.org/data/%{name}-demosaic-pack-GPL2-%{version}.tar.gz Source2: http://www.libraw.org/data/%{name}-demosaic-pack-GPL3-%{version}.tar.gz Patch0: LibRaw-0.6.0-pkgconfig.patch Patch1: LibRaw-0.17.1-CVE-2015-8366-8367.patch -#Patch2: radc_divbyzero.patch +Patch2: d13e8f6d1e987b7491182040a188c16a395f1d21.patch Provides: bundled(dcraw) = 9.25 @@ -56,7 +56,7 @@ LibRaw sample programs %patch0 -p0 -b .pkgconfig %patch1 -p1 -b .CVE-2015-8366 -#%patch2 -p1 -b .CVE-2017-13735 +%patch2 -p1 -b .CVE-2017-14348 %build %configure --enable-examples=yes --enable-jasper --enable-lcms \ @@ -105,6 +105,9 @@ make install DESTDIR=%{buildroot} %postun -p /sbin/ldconfig %changelog +* Fri Sep 15 2017 Gwyn Ciesla - 0.18.4-2 +- Patch for CVE-2017-14348. + * Tue Sep 12 2017 Gwyn Ciesla - 0.18.4-1 - 0.18.4 diff --git a/d13e8f6d1e987b7491182040a188c16a395f1d21.patch b/d13e8f6d1e987b7491182040a188c16a395f1d21.patch new file mode 100644 index 0000000..76fe4df --- /dev/null +++ b/d13e8f6d1e987b7491182040a188c16a395f1d21.patch @@ -0,0 +1,70 @@ +From d13e8f6d1e987b7491182040a188c16a395f1d21 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Wed, 13 Sep 2017 09:31:01 +0300 +Subject: [PATCH] CVE-2017-1438 credits; fix for Kodak 65000 out of bounds + access + +--- + Changelog.txt | 6 +++++- + dcraw/dcraw.c | 11 +++++++++-- + internal/dcraw_common.cpp | 11 +++++++++-- + 3 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/Changelog.txt b/Changelog.txt +index 95bdc952..9b247882 100755 +--- a/Changelog.txt ++++ b/Changelog.txt +@@ -1,5 +1,9 @@ ++2017-09-13 Alex Tutubalin ++ * Fixed possible out of bound access in Kodak 6500 loader ++ + 2017-09-12 Alex Tutubalin +- * Fix for possible heap overrun in Canon makernotes parser ++ * CVE-2017-14348: Fix for possible heap overrun in Canon makernotes parser ++ Credit: Henri Salo from Nixu Corporation + * LibRaw 0.18.4 + + 2017-09-09 Alex Tutubalin +diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp +index 18bcdbcb..8fb2b073 100644 +--- a/internal/dcraw_common.cpp ++++ b/internal/dcraw_common.cpp +@@ -3240,8 +3240,15 @@ void CLASS kodak_65000_load_raw() + len = MIN (256, width-col); + ret = kodak_65000_decode (buf, len); + for (i=0; i < len; i++) +- if ((RAW(row,col+i) = curve[ret ? buf[i] : +- (pred[i & 1] += buf[i])]) >> 12) derror(); ++ { ++ int idx = ret ? buf[i] : (pred[i & 1] += buf[i]); ++ if(idx >=0 && idx <= 0xffff) ++ { ++ if ((RAW(row,col+i) = curve[idx]) >> 12) derror(); ++ } ++ else ++ derror(); ++ } + } + } + } +--- LibRaw-0.18.4/dcraw/dcraw.c~ 2017-09-15 09:17:55.000000000 -0500 ++++ LibRaw-0.18.4/dcraw/dcraw.c 2017-09-15 09:20:29.532287605 -0500 +@@ -2589,8 +2589,16 @@ + len = MIN (256, width-col); + ret = kodak_65000_decode (buf, len); + for (i=0; i < len; i++) +- if ((RAW(row,col+i) = curve[ret ? buf[i] : +- (pred[i & 1] += buf[i])]) >> 12) derror(); ++ { ++ int idx = ret ? buf[i] : (pred[i & 1] += buf[i]); ++ if(idx >=0 && idx <= 0xffff) ++ { ++ if ((RAW(row,col+i) = curve[idx]) >> 12) derror(); ++ } ++ else ++ derror(); ++ } ++ + } + } +