From 4241ce166cba0add574ae583993db326ea8c2d7c Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Thu, 24 Sep 2020 08:37:51 -0500 Subject: [PATCH] Patch for CVE-2020-24890. --- ...23ecbe6a9752aee6e97118a76d40704d73ee.patch | 97 +++++++++++++++++++ LibRaw.spec | 7 +- 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 78d323ecbe6a9752aee6e97118a76d40704d73ee.patch diff --git a/78d323ecbe6a9752aee6e97118a76d40704d73ee.patch b/78d323ecbe6a9752aee6e97118a76d40704d73ee.patch new file mode 100644 index 0000000..3bd2e35 --- /dev/null +++ b/78d323ecbe6a9752aee6e97118a76d40704d73ee.patch @@ -0,0 +1,97 @@ +From 78d323ecbe6a9752aee6e97118a76d40704d73ee Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Thu, 20 Aug 2020 15:24:40 +0300 +Subject: [PATCH] Additional checks in hassy model parser + +--- + src/metadata/hasselblad_model.cpp | 39 ++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/src/metadata/hasselblad_model.cpp b/src/metadata/hasselblad_model.cpp +index 979f56c6..f1cd0d6d 100644 +--- a/src/metadata/hasselblad_model.cpp ++++ b/src/metadata/hasselblad_model.cpp +@@ -93,7 +93,7 @@ static const char *Hasselblad_SensorEnclosures[] = { + int norm_model_isSet = 0; + + if (model[0] == ' ') +- memmove(model, model+1, strlen(model)); ++ memmove(model, model+1, MIN(sizeof(model)-1,strlen(model))); + + if (!imHassy.format) { + if (dng_version) { +@@ -116,49 +116,62 @@ static const char *Hasselblad_SensorEnclosures[] = { + memmove(imHassy.SensorUnitConnector, imHassy.SensorUnitConnector+11, 64-11); + + if (imHassy.format == LIBRAW_HF_AdobeDNG) { // Adobe DNG, use LocalizedCameraModel ++ imgdata.color.LocalizedCameraModel[63] = 0; // make sure 0-termination + if ((ps = strrchr(imgdata.color.LocalizedCameraModel, '-'))) + c = ps-imgdata.color.LocalizedCameraModel; + else c = strlen(imgdata.color.LocalizedCameraModel); +- memcpy(tmp_model, imgdata.color.LocalizedCameraModel, c); +- tmp_model[c] = 0; ++ int cc = MIN(c, sizeof(tmp_model)-1); ++ memcpy(tmp_model, imgdata.color.LocalizedCameraModel,cc); ++ tmp_model[cc] = 0; + if (strcasestr(imgdata.color.UniqueCameraModel, "coated")) { +- strcpy(normalized_model, imgdata.color.UniqueCameraModel); ++ strncpy(normalized_model, imgdata.color.UniqueCameraModel,sizeof(imgdata.color.UniqueCameraModel)-1); ++ normalized_model[sizeof(imgdata.color.UniqueCameraModel) - 1] = 0; + norm_model_isSet = 1; + } + if (!strncmp(normalized_model, "Hasselblad ", 11)) + memmove(normalized_model, normalized_model+11, 64-11); +- } else +- strcpy(tmp_model, imgdata.color.UniqueCameraModel); ++ } ++ else ++ { ++ strncpy(tmp_model, imgdata.color.UniqueCameraModel, sizeof(imgdata.color.UniqueCameraModel) - 1); ++ tmp_model[63] = 0; ++ } + if (!strncasecmp(tmp_model, "Hasselblad ", 11)) + memmove(tmp_model, tmp_model+11, 64-11); + + // check if model tag contains manual CaptureSequenceInitiator info: +- strcpy(imHassy.CaptureSequenceInitiator, model); ++ strncpy(imHassy.CaptureSequenceInitiator, model,31); ++ imHassy.CaptureSequenceInitiator[31] = 0; + FORC(int(sizeof Hasselblad_Ctrl / sizeof *Hasselblad_Ctrl)) { + if (strcasestr(model, Hasselblad_Ctrl[c])) { + // yes, fill 'model' with sensor unit data +- strcpy(model, tmp_model); ++ strncpy(model, tmp_model,63); ++ model[63] = 0; + break; + } + } + + ps = strchr(model, '-'); + if (ps) { // check if model contains both host body and sensor version, resolution, MS info +- strcpy(imHassy.SensorUnit, model); ++ strncpy(imHassy.SensorUnit, model,63); + memcpy(imHassy.HostBody, model, ps-model); + imHassy.HostBody[ps-model] = 0; + if (!strncmp(ps-2, "II-", 3)) + ps -=2; +- strcpy(imHassy.Sensor, ps); ++ strncpy(imHassy.Sensor, ps,7); ++ imHassy.Sensor[7] = 0; + add_MP_toName = 0; + } else { // model contains host body only +- strcpy(imHassy.HostBody, model); ++ strncpy(imHassy.HostBody, model,63); ++ imHassy.HostBody[63] = 0; + // fill 'model' with sensor unit data +- strcpy(model, tmp_model); ++ strncpy(model, tmp_model,63); ++ model[63] = 0; + } + + if (!strncmp(model, "503CWD", 6)) { +- strcpy(imHassy.HostBody, model); ++ strncpy(imHassy.HostBody, model,63); ++ imHassy.HostBody[63] = 0; + ilm.CameraFormat = LIBRAW_FORMAT_66; + ilm.CameraMount = LIBRAW_MOUNT_Hasselblad_V; + if (model[6] == 'I' && model[7] == 'I') diff --git a/LibRaw.spec b/LibRaw.spec index 0af724e..637a2a8 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -7,7 +7,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.20.0 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD and (CDDL or LGPLv2) URL: http://www.libraw.org @@ -20,6 +20,8 @@ BuildRequires: autoconf automake libtool #Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz Patch0: LibRaw-pkgconfig.patch +# For CVE-2020-24890 +Patch1: 78d323ecbe6a9752aee6e97118a76d40704d73ee.patch Provides: bundled(dcraw) = 9.25 %description @@ -114,6 +116,9 @@ rm -fv %{buildroot}%{_libdir}/lib*.la %changelog +* Thu Sep 24 2020 Gwyn Ciesla - 0.20.0-3 +- Patch for CVE-2020-24890. + * Mon Jul 27 2020 Fedora Release Engineering - 0.20.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild