version 9.27.0

This commit is contained in:
Nils Philippsen 2016-06-09 12:04:54 +02:00
parent f444fd52a8
commit 44446103e6
5 changed files with 9 additions and 154 deletions

1
.gitignore vendored
View File

@ -16,3 +16,4 @@ dcraw-9.04.tar.gz
/dcraw-9.23.0.tar.gz /dcraw-9.23.0.tar.gz
/dcraw-9.24.4.tar.gz /dcraw-9.24.4.tar.gz
/dcraw-9.25.0.tar.gz /dcraw-9.25.0.tar.gz
/dcraw-9.27.0.tar.gz

View File

@ -1,101 +0,0 @@
From 16a638f66b5a6d5c6e83e817db58a92cfe9f62b6 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 19 May 2015 14:58:47 +0200
Subject: [PATCH] CVE-2013-1438: fix various security issues
This fixes division by zero, infinite loop, and null pointer dereference
bugs. Ported from Alex Tutubalin's fix in LibRaw (commit
9ae25d8c3a6bfb40c582538193264f74c9b93bc0).
Don't check 'huff' at the beginning of ljpeg_diff() because it can never
be NULL the way it is called elsewhere in the program.
---
dcraw.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/dcraw.c b/dcraw.c
index cc7f764..22e0bb5 100644
--- a/dcraw.c
+++ b/dcraw.c
@@ -939,6 +939,8 @@ void CLASS lossless_jpeg_load_raw()
ushort *rp;
if (!ljpeg_start (&jh, 0)) return;
+ if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
+ longjmp (failure, 2);
jwide = jh.wide * jh.clrs;
for (jrow=0; jrow < jh.high; jrow++) {
@@ -958,6 +960,8 @@ void CLASS lossless_jpeg_load_raw()
}
if (raw_width == 3984 && (col -= 2) < 0)
col += (row--,raw_width);
+ if (row > raw_height)
+ longjmp (failure, 3);
if ((unsigned) row < raw_height) RAW(row,col) = val;
if (++col >= raw_width)
col = (row++,0);
@@ -5783,6 +5787,7 @@ int CLASS parse_tiff_ifd (int base)
data_offset = get4()+base;
ifd++; break;
}
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
while (len--) {
i = ftell(ifp);
fseek (ifp, get4()+base, SEEK_SET);
@@ -6010,7 +6015,7 @@ guess_cfa_pc:
break;
case 50715: /* BlackLevelDeltaH */
case 50716: /* BlackLevelDeltaV */
- for (num=i=0; i < len; i++)
+ for (num=i=0; i < len && i < 65536; i++)
num += getreal(type);
black += num/len + 0.5;
break;
@@ -6135,9 +6140,13 @@ void CLASS apply_tiff()
if (thumb_offset) {
fseek (ifp, thumb_offset, SEEK_SET);
if (ljpeg_start (&jh, 1)) {
- thumb_misc = jh.bits;
- thumb_width = jh.wide;
- thumb_height = jh.high;
+ if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
+ (unsigned)jh.high < 0x10000)
+ {
+ thumb_misc = jh.bits;
+ thumb_width = jh.wide;
+ thumb_height = jh.high;
+ }
}
}
for (i=0; i < tiff_nifds; i++) {
@@ -6145,8 +6154,9 @@ void CLASS apply_tiff()
max_samp = tiff_ifd[i].samples;
if (max_samp > 3) max_samp = 3;
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
- (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
- tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
+ (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
+ tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
raw_width = tiff_ifd[i].width;
raw_height = tiff_ifd[i].height;
tiff_bps = tiff_ifd[i].bps;
@@ -6240,9 +6250,11 @@ void CLASS apply_tiff()
is_raw = 0;
for (i=0; i < tiff_nifds; i++)
if (i != raw && tiff_ifd[i].samples == max_samp &&
- tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
- thumb_width * thumb_height / (SQR(thumb_misc)+1)
- && tiff_ifd[i].comp != 34892) {
+ tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
+ ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
+ tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
+ thumb_width * thumb_height / (SQR(thumb_misc)+1)
+ && tiff_ifd[i].comp != 34892) {
thumb_width = tiff_ifd[i].width;
thumb_height = tiff_ifd[i].height;
thumb_offset = tiff_ifd[i].offset;
--
2.4.1

View File

@ -1,44 +0,0 @@
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 19 May 2015 11:36:57 +0200
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
When reading raw image files containing lossless JPEG data, headers
could be manipulated to make the signed int variable 'len' negative
which specifies how much actual data follows. Interpreted as unsigned,
this could lead to reading file data past the 64k boundary of the array
used for storing it. To avoid that, make 'len' unsigned short, and bail
out early if its value would become invalid (i.e. <= 0).
---
dcraw.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/dcraw.c b/dcraw.c
index cc7f764..532840d 100644
--- a/dcraw.c
+++ b/dcraw.c
@@ -824,7 +824,8 @@ struct jhead {
int CLASS ljpeg_start (struct jhead *jh, int info_only)
{
- int c, tag, len;
+ int c, tag;
+ ushort len;
uchar data[0x10000];
const uchar *dp;
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
do {
fread (data, 2, 2, ifp);
tag = data[0] << 8 | data[1];
- len = (data[2] << 8 | data[3]) - 2;
- if (tag <= 0xff00) return 0;
+ len = (data[2] << 8 | data[3]);
+ if (tag <= 0xff00 || len <= 2) return 0;
+ len -= 2;
fread (data, 1, len, ifp);
switch (tag) {
case 0xffc3:
--
2.4.1

View File

@ -1,14 +1,12 @@
Summary: Tool for decoding raw image data from digital cameras Summary: Tool for decoding raw image data from digital cameras
Name: dcraw Name: dcraw
Version: 9.25.0 Version: 9.27.0
Release: 4%{?dist} Release: 1%{?dist}
Group: Applications/Multimedia Group: Applications/Multimedia
License: GPLv2+ License: GPLv2+
URL: http://cybercom.net/~dcoffin/dcraw URL: http://cybercom.net/~dcoffin/dcraw
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
Patch0: dcraw-9.25.0-CVE-2013-1438.patch Patch0: dcraw-9.21-lcms2-error-reporting.patch
Patch1: dcraw-9.21-lcms2-error-reporting.patch
Patch2: dcraw-9.25.0-CVE-2015-3885.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
BuildRequires: lcms2-devel BuildRequires: lcms2-devel
@ -21,9 +19,7 @@ downloaded from digital cameras.
%prep %prep
%setup -q -n dcraw %setup -q -n dcraw
%patch0 -p1 -b .CVE-2013-1438 %patch0 -p1 -b .lcms2-error-reporting
%patch1 -p1 -b .lcms2-error-reporting
%patch2 -p1 -b .CVE-2015-3885
%build %build
gcc %optflags \ gcc %optflags \
@ -70,6 +66,9 @@ done
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Thu Jun 09 2016 Nils Philippsen <nils@redhat.com> - 9.27.0
- version 9.27.0
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

View File

@ -1 +1 @@
92fdbd7fdc73fefd8baa9394be59898d dcraw-9.25.0.tar.gz 87ca3ec9d4e882f0d2250fed61b3326f dcraw-9.27.0.tar.gz