diff --git a/SOURCES/LibRaw-CVE-2020-15503.patch b/SOURCES/LibRaw-CVE-2020-15503.patch new file mode 100644 index 0000000..eae0baf --- /dev/null +++ b/SOURCES/LibRaw-CVE-2020-15503.patch @@ -0,0 +1,133 @@ +diff -urNp LibRaw-0.19.5.orig/libraw/libraw_const.h LibRaw-0.19.5/libraw/libraw_const.h +--- LibRaw-0.19.5.orig/libraw/libraw_const.h 2020-08-10 18:32:18.669459968 +0200 ++++ LibRaw-0.19.5/libraw/libraw_const.h 2020-08-10 18:48:10.462282067 +0200 +@@ -24,6 +24,12 @@ it under the terms of the one of two lic + #define LIBRAW_MAX_ALLOC_MB 2048L + #endif + ++/* limit thumbnail size, default is 512Mb*/ ++#ifndef LIBRAW_MAX_THUMBNAIL_MB ++#define LIBRAW_MAX_THUMBNAIL_MB 512L ++#endif ++ ++ + /* Change to non-zero to allow (broken) CRW (and other) files metadata + loop prevention */ + #ifndef LIBRAW_METADATA_LOOP_PREVENTION +diff -urNp LibRaw-0.19.5.orig/src/libraw_cxx.cpp LibRaw-0.19.5/src/libraw_cxx.cpp +--- LibRaw-0.19.5.orig/src/libraw_cxx.cpp 2020-08-10 18:32:18.672459987 +0200 ++++ LibRaw-0.19.5/src/libraw_cxx.cpp 2020-08-10 18:49:18.616688826 +0200 +@@ -3712,6 +3712,21 @@ libraw_processed_image_t *LibRaw::dcraw_ + return NULL; + } + ++ if (T.tlength < 64u) ++ { ++ if (errcode) ++ *errcode = EINVAL; ++ return NULL; ++ } ++ ++ if (INT64(T.tlength) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) ++ { ++ if (errcode) ++ *errcode = LIBRAW_TOO_BIG; ++ return NULL; ++ } ++ ++ + if (T.tformat == LIBRAW_THUMBNAIL_BITMAP) + { + libraw_processed_image_t *ret = (libraw_processed_image_t *)::malloc(sizeof(libraw_processed_image_t) + T.tlength); +@@ -3976,6 +3991,12 @@ void LibRaw::kodak_thumb_loader() + if (ID.toffset + est_datasize > ID.input->size() + THUMB_READ_BEYOND) + throw LIBRAW_EXCEPTION_IO_EOF; + ++ if(INT64(T.theight) * INT64(T.twidth) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ ++ if (INT64(T.theight) * INT64(T.twidth) < 64ULL) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; ++ + // some kodak cameras + ushort s_height = S.height, s_width = S.width, s_iwidth = S.iwidth, s_iheight = S.iheight; + ushort s_flags = libraw_internal_data.unpacker_data.load_flags; +@@ -4237,6 +4258,25 @@ int LibRaw::unpack_thumb(void) + CHECK_ORDER_LOW(LIBRAW_PROGRESS_IDENTIFY); + CHECK_ORDER_BIT(LIBRAW_PROGRESS_THUMB_LOAD); + ++#define THUMB_SIZE_CHECKT(A) \ ++ do { \ ++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(A) > 0 && INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ ++#define THUMB_SIZE_CHECKTNZ(A) \ ++ do { \ ++ if (INT64(A) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(A) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ ++ ++#define THUMB_SIZE_CHECKWH(W,H) \ ++ do { \ ++ if (INT64(W)*INT64(H) > 1024ULL * 1024ULL * LIBRAW_MAX_THUMBNAIL_MB) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ if (INT64(W)*INT64(H) < 64ULL) throw LIBRAW_EXCEPTION_IO_CORRUPT; \ ++ } while (0) ++ + try + { + if (!libraw_internal_data.internal_data.input) +@@ -4267,6 +4307,7 @@ int LibRaw::unpack_thumb(void) + + if (INT64(ID.toffset) + tsize > ID.input->size() + THUMB_READ_BEYOND) + throw LIBRAW_EXCEPTION_IO_EOF; ++ THUMB_SIZE_CHECKT(tsize); + } + else + { +@@ -4280,6 +4321,7 @@ int LibRaw::unpack_thumb(void) + ID.input->seek(ID.toffset, SEEK_SET); + if (write_thumb == &LibRaw::jpeg_thumb) + { ++ THUMB_SIZE_CHECKTNZ(T.tlength); + if (T.thumb) + free(T.thumb); + T.thumb = (char *)malloc(T.tlength); +@@ -4326,6 +4368,7 @@ int LibRaw::unpack_thumb(void) + { + if (t_bytesps > 1) + throw LIBRAW_EXCEPTION_IO_CORRUPT; // 8-bit thumb, but parsed for more bits ++ THUMB_SIZE_CHECKWH(T.twidth, T.theight); + int t_length = T.twidth * T.theight * t_colors; + + if (T.tlength && T.tlength < t_length) // try to find tiff ifd with needed offset +@@ -4351,8 +4394,12 @@ int LibRaw::unpack_thumb(void) + T.tcolors = 1; + } + T.tlength = total_size; ++ THUMB_SIZE_CHECKTNZ(T.tlength); + if (T.thumb) + free(T.thumb); ++ ++ THUMB_SIZE_CHECKTNZ(T.tlength); ++ + T.thumb = (char *)malloc(T.tlength); + merror(T.thumb, "ppm_thumb()"); + +@@ -4400,10 +4447,15 @@ int LibRaw::unpack_thumb(void) + if (t_bytesps > 2) + throw LIBRAW_EXCEPTION_IO_CORRUPT; // 16-bit thumb, but parsed for more bits + int o_bps = (imgdata.params.raw_processing_options & LIBRAW_PROCESSING_USE_PPM16_THUMBS) ? 2 : 1; ++ THUMB_SIZE_CHECKWH(T.twidth, T.theight); + int o_length = T.twidth * T.theight * t_colors * o_bps; + int i_length = T.twidth * T.theight * t_colors * 2; + if (!T.tlength) + T.tlength = o_length; ++ THUMB_SIZE_CHECKTNZ(o_length); ++ THUMB_SIZE_CHECKTNZ(i_length); ++ THUMB_SIZE_CHECKTNZ(T.tlength); ++ + ushort *t_thumb = (ushort *)calloc(i_length, 1); + ID.input->read(t_thumb, 1, i_length); + if ((libraw_internal_data.unpacker_data.order == 0x4949) == (ntohs(0x1234) == 0x1234)) diff --git a/SPECS/LibRaw.spec b/SPECS/LibRaw.spec index d464a8b..b290e85 100644 --- a/SPECS/LibRaw.spec +++ b/SPECS/LibRaw.spec @@ -1,7 +1,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.19.5 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and (CDDL or LGPLv2) URL: http://www.libraw.org @@ -13,6 +13,7 @@ BuildRequires: autoconf automake libtool Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz Patch0: LibRaw-0.6.0-pkgconfig.patch +Patch1: LibRaw-CVE-2020-15503.patch Provides: bundled(dcraw) = 9.25 %description @@ -52,6 +53,7 @@ LibRaw sample programs %setup -q %patch0 -p0 -b .pkgconfig +%patch1 -p1 -b .cve-2020-15503 %build autoreconf -if @@ -115,6 +117,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la %changelog +* Mon Aug 10 2020 Debarshi Ray - 0.19.5-2 +- Backport fix for CVE-2020-15503 from Fedora +Resolves: #1853529 + * Wed Oct 30 2019 Debarshi Ray - 0.19.5-1 - 0.19.5 Resolves: #1671744