From 6b9855473843312dc24fa49d051d520992002df5 Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Fri, 31 May 2013 05:40:22 -0500 Subject: [PATCH] Fix for double-free. --- LibRaw-0.14.8-errorhandling.patch | 49 +++++++++++++++++++++++++++++++ LibRaw.spec | 7 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 LibRaw-0.14.8-errorhandling.patch diff --git a/LibRaw-0.14.8-errorhandling.patch b/LibRaw-0.14.8-errorhandling.patch new file mode 100644 index 0000000..b71a539 --- /dev/null +++ b/LibRaw-0.14.8-errorhandling.patch @@ -0,0 +1,49 @@ +diff -U3 -r LibRaw-0.14.8.orig/Changelog.rus LibRaw-0.14.8/Changelog.rus +--- LibRaw-0.14.8.orig/Changelog.rus 2013-05-17 14:54:17.000000000 -0500 ++++ LibRaw-0.14.8/Changelog.rus 2013-05-31 05:31:45.970607271 -0500 +@@ -1,4 +1,8 @@ +-2013-05-21 Alex Tutubalin ++2013-05-31 Alex Tutubalin ++ * Исправлена ошибка при обработке поврежденных полноцветных ++ файлов (sRAW, Foveon) ++ ++2013-05-21 Alex Tutubalin + * Исправлена ошибка в коде функции sony_decrypt(), приводившая + к неверному чтению камерного баланса белого на камерах Sony + если LibRaw была собрана gcc 4.8 +diff -U3 -r LibRaw-0.14.8.orig/Changelog.txt LibRaw-0.14.8/Changelog.txt +--- LibRaw-0.14.8.orig/Changelog.txt 2013-05-17 14:54:17.000000000 -0500 ++++ LibRaw-0.14.8/Changelog.txt 2013-05-31 05:31:45.970607271 -0500 +@@ -1,3 +1,7 @@ ++2013-05-31 Alex Tutubalin ++ * Fixed double call to free() on broken legacy-layout images ++ (backport from 0.15.x) ++ + 2013-05-21 Alex Tutubalin + * Fixed undefined behaviour in sony_decrypt() function. + This bug causes incorrect camera WB read for Sony cameras. +diff -U3 -r LibRaw-0.14.8.orig/src/libraw_cxx.cpp LibRaw-0.14.8/src/libraw_cxx.cpp +--- LibRaw-0.14.8.orig/src/libraw_cxx.cpp 2013-05-17 14:54:17.000000000 -0500 ++++ LibRaw-0.14.8/src/libraw_cxx.cpp 2013-05-31 05:31:51.402607149 -0500 +@@ -796,8 +796,8 @@ + S.iheight= S.height; + IO.shrink = 0; + // allocate image as temporary buffer, size +- imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image)); +- imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc; ++ imgdata.rawdata.raw_alloc = 0; ++ imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image)); + } + + +@@ -807,8 +807,8 @@ + // recover saved + if( decoder_info.decoder_flags & LIBRAW_DECODER_LEGACY) + { +- imgdata.image = 0; +- imgdata.rawdata.color_image = (ushort (*)[4]) imgdata.rawdata.raw_alloc; ++ imgdata.rawdata.raw_alloc = imgdata.rawdata.color_image = imgdata.image; ++ imgdata.image = 0; + } + + // calculate channel maximum diff --git a/LibRaw.spec b/LibRaw.spec index 5b44e52..c9af366 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -2,7 +2,7 @@ Summary: Library for reading RAW files obtained from digital photo cameras Name: LibRaw Version: 0.14.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ Group: Development/Libraries URL: http://www.libraw.org @@ -15,6 +15,7 @@ Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz Source1: http://www.libraw.org/data/%{name}-demosaic-pack-GPL2-%{version}.tar.gz Source2: http://www.libraw.org/data/%{name}-demosaic-pack-GPL3-%{version}.tar.gz #Patch0: LibRaw-0.14.7-segfault.patch +Patch1: LibRaw-0.14.8-errorhandling.patch %description LibRaw is a library for reading RAW files obtained from digital photo @@ -44,6 +45,7 @@ LibRaw static development libraries. %prep %setup -q -a1 -a2 #%patch0 -p0 +%patch1 -p1 %build %configure --enable-examples=no --enable-jasper --enable-lcms \ @@ -82,6 +84,9 @@ make install DESTDIR=%{buildroot} %postun -p /sbin/ldconfig %changelog +* Wed May 29 2013 Jon Ciesla - 0.14.8-2 +- Patch for double free, CVE-2013-2126, BZ 968387. + * Wed May 29 2013 Jon Ciesla - 0.14.8-1 - Latest upstream, fixes gcc 4.8 issues.