Patch for CVE-2015-8366 and CVE-2015-8367

LibRaw-0.17.1-CVE-2015-8366-8367.patch

@@ -0,0 +1,14 @@
+diff -r -U3 LibRaw-0.17.1.orig/dcraw/dcraw.c LibRaw-0.17.1/dcraw/dcraw.c
+--- LibRaw-0.17.1.orig/dcraw/dcraw.c	2015-05-24 21:30:26.000000000 -0500
++++ LibRaw-0.17.1/dcraw/dcraw.c	2015-12-01 07:47:00.086513959 -0600
+@@ -2901,6 +2901,10 @@
+       diff = diff ? -diff : 0x80;
+     if (ftell(ifp) + 12 >= seg[1][1])
+       diff = 0;
++#ifdef LIBRAW_LIBRARY_BUILD
++    if(pix>=raw_width*raw_height)
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+     raw_image[pix] = pred[pix & 1] += diff;
+     if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }

LibRaw.spec

@@ -1,7 +1,7 @@
 Summary: Library for reading RAW files obtained from digital photo cameras
 Name: LibRaw
 Version: 0.17.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv3+
 Group: Development/Libraries
 URL: http://www.libraw.org
@@ -13,6 +13,7 @@ Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz
 Source1: http://www.libraw.org/data/%{name}-demosaic-pack-GPL2-%{version}.tar.gz
 Source2: http://www.libraw.org/data/%{name}-demosaic-pack-GPL3-%{version}.tar.gz
 Patch0:  LibRaw-0.6.0-pkgconfig.patch
+Patch1:  LibRaw-0.17.1-CVE-2015-8366-8367.patch
 
 Provides: bundled(dcraw) = 9.25
 
@@ -52,6 +53,7 @@ LibRaw sample programs
 %setup -q -a1 -a2
 
 %patch0 -p0 -b .pkgconfig
+%patch1 -p1 -b .CVE-2015-8366
 
 %build
 %configure --enable-examples=yes --enable-jasper --enable-lcms \
@@ -94,6 +96,9 @@ make install DESTDIR=%{buildroot}
 %postun -p /sbin/ldconfig
 
 %changelog
+* Tue Dec 01 2015 Jon Ciesla <limburgher@gmail.com> - 0.17.1-2
+- Patch for CVE-2015-8366 and CVE-2015-8367, BZ 1287057.
+
 * Sun Nov 29 2015 Jon Ciesla <limburgher@gmail.com> - 0.17.1-1
 - 0.17.1.