version 9.27.0
This commit is contained in:
parent
f444fd52a8
commit
44446103e6
1
.gitignore
vendored
1
.gitignore
vendored
@ -16,3 +16,4 @@ dcraw-9.04.tar.gz
|
|||||||
/dcraw-9.23.0.tar.gz
|
/dcraw-9.23.0.tar.gz
|
||||||
/dcraw-9.24.4.tar.gz
|
/dcraw-9.24.4.tar.gz
|
||||||
/dcraw-9.25.0.tar.gz
|
/dcraw-9.25.0.tar.gz
|
||||||
|
/dcraw-9.27.0.tar.gz
|
||||||
|
@ -1,101 +0,0 @@
|
|||||||
From 16a638f66b5a6d5c6e83e817db58a92cfe9f62b6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nils Philippsen <nils@redhat.com>
|
|
||||||
Date: Tue, 19 May 2015 14:58:47 +0200
|
|
||||||
Subject: [PATCH] CVE-2013-1438: fix various security issues
|
|
||||||
|
|
||||||
This fixes division by zero, infinite loop, and null pointer dereference
|
|
||||||
bugs. Ported from Alex Tutubalin's fix in LibRaw (commit
|
|
||||||
9ae25d8c3a6bfb40c582538193264f74c9b93bc0).
|
|
||||||
|
|
||||||
Don't check 'huff' at the beginning of ljpeg_diff() because it can never
|
|
||||||
be NULL the way it is called elsewhere in the program.
|
|
||||||
---
|
|
||||||
dcraw.c | 30 +++++++++++++++++++++---------
|
|
||||||
1 file changed, 21 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dcraw.c b/dcraw.c
|
|
||||||
index cc7f764..22e0bb5 100644
|
|
||||||
--- a/dcraw.c
|
|
||||||
+++ b/dcraw.c
|
|
||||||
@@ -939,6 +939,8 @@ void CLASS lossless_jpeg_load_raw()
|
|
||||||
ushort *rp;
|
|
||||||
|
|
||||||
if (!ljpeg_start (&jh, 0)) return;
|
|
||||||
+ if (jh.wide < 1 || jh.high < 1 || jh.clrs < 1 || jh.bits < 1)
|
|
||||||
+ longjmp (failure, 2);
|
|
||||||
jwide = jh.wide * jh.clrs;
|
|
||||||
|
|
||||||
for (jrow=0; jrow < jh.high; jrow++) {
|
|
||||||
@@ -958,6 +960,8 @@ void CLASS lossless_jpeg_load_raw()
|
|
||||||
}
|
|
||||||
if (raw_width == 3984 && (col -= 2) < 0)
|
|
||||||
col += (row--,raw_width);
|
|
||||||
+ if (row > raw_height)
|
|
||||||
+ longjmp (failure, 3);
|
|
||||||
if ((unsigned) row < raw_height) RAW(row,col) = val;
|
|
||||||
if (++col >= raw_width)
|
|
||||||
col = (row++,0);
|
|
||||||
@@ -5783,6 +5787,7 @@ int CLASS parse_tiff_ifd (int base)
|
|
||||||
data_offset = get4()+base;
|
|
||||||
ifd++; break;
|
|
||||||
}
|
|
||||||
+ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
|
|
||||||
while (len--) {
|
|
||||||
i = ftell(ifp);
|
|
||||||
fseek (ifp, get4()+base, SEEK_SET);
|
|
||||||
@@ -6010,7 +6015,7 @@ guess_cfa_pc:
|
|
||||||
break;
|
|
||||||
case 50715: /* BlackLevelDeltaH */
|
|
||||||
case 50716: /* BlackLevelDeltaV */
|
|
||||||
- for (num=i=0; i < len; i++)
|
|
||||||
+ for (num=i=0; i < len && i < 65536; i++)
|
|
||||||
num += getreal(type);
|
|
||||||
black += num/len + 0.5;
|
|
||||||
break;
|
|
||||||
@@ -6135,9 +6140,13 @@ void CLASS apply_tiff()
|
|
||||||
if (thumb_offset) {
|
|
||||||
fseek (ifp, thumb_offset, SEEK_SET);
|
|
||||||
if (ljpeg_start (&jh, 1)) {
|
|
||||||
- thumb_misc = jh.bits;
|
|
||||||
- thumb_width = jh.wide;
|
|
||||||
- thumb_height = jh.high;
|
|
||||||
+ if ((unsigned)jh.bits < 17 && (unsigned)jh.wide < 0x10000 &&
|
|
||||||
+ (unsigned)jh.high < 0x10000)
|
|
||||||
+ {
|
|
||||||
+ thumb_misc = jh.bits;
|
|
||||||
+ thumb_width = jh.wide;
|
|
||||||
+ thumb_height = jh.high;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for (i=0; i < tiff_nifds; i++) {
|
|
||||||
@@ -6145,8 +6154,9 @@ void CLASS apply_tiff()
|
|
||||||
max_samp = tiff_ifd[i].samples;
|
|
||||||
if (max_samp > 3) max_samp = 3;
|
|
||||||
if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
|
|
||||||
- (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
|
|
||||||
- tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
|
|
||||||
+ (tiff_ifd[i].width | tiff_ifd[i].height) < 0x10000 &&
|
|
||||||
+ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
|
|
||||||
+ tiff_ifd[i].width*tiff_ifd[i].height > raw_width*raw_height) {
|
|
||||||
raw_width = tiff_ifd[i].width;
|
|
||||||
raw_height = tiff_ifd[i].height;
|
|
||||||
tiff_bps = tiff_ifd[i].bps;
|
|
||||||
@@ -6240,9 +6250,11 @@ void CLASS apply_tiff()
|
|
||||||
is_raw = 0;
|
|
||||||
for (i=0; i < tiff_nifds; i++)
|
|
||||||
if (i != raw && tiff_ifd[i].samples == max_samp &&
|
|
||||||
- tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
|
|
||||||
- thumb_width * thumb_height / (SQR(thumb_misc)+1)
|
|
||||||
- && tiff_ifd[i].comp != 34892) {
|
|
||||||
+ tiff_ifd[i].bps > 0 && tiff_ifd[i].bps < 33 &&
|
|
||||||
+ ((unsigned)(tiff_ifd[i].width | tiff_ifd[i].height)) < 0x10000 &&
|
|
||||||
+ tiff_ifd[i].width * tiff_ifd[i].height / (SQR(tiff_ifd[i].bps)+1) >
|
|
||||||
+ thumb_width * thumb_height / (SQR(thumb_misc)+1)
|
|
||||||
+ && tiff_ifd[i].comp != 34892) {
|
|
||||||
thumb_width = tiff_ifd[i].width;
|
|
||||||
thumb_height = tiff_ifd[i].height;
|
|
||||||
thumb_offset = tiff_ifd[i].offset;
|
|
||||||
--
|
|
||||||
2.4.1
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nils Philippsen <nils@redhat.com>
|
|
||||||
Date: Tue, 19 May 2015 11:36:57 +0200
|
|
||||||
Subject: [PATCH] CVE-2015-3885: avoid overflowing array
|
|
||||||
|
|
||||||
When reading raw image files containing lossless JPEG data, headers
|
|
||||||
could be manipulated to make the signed int variable 'len' negative
|
|
||||||
which specifies how much actual data follows. Interpreted as unsigned,
|
|
||||||
this could lead to reading file data past the 64k boundary of the array
|
|
||||||
used for storing it. To avoid that, make 'len' unsigned short, and bail
|
|
||||||
out early if its value would become invalid (i.e. <= 0).
|
|
||||||
---
|
|
||||||
dcraw.c | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dcraw.c b/dcraw.c
|
|
||||||
index cc7f764..532840d 100644
|
|
||||||
--- a/dcraw.c
|
|
||||||
+++ b/dcraw.c
|
|
||||||
@@ -824,7 +824,8 @@ struct jhead {
|
|
||||||
|
|
||||||
int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
||||||
{
|
|
||||||
- int c, tag, len;
|
|
||||||
+ int c, tag;
|
|
||||||
+ ushort len;
|
|
||||||
uchar data[0x10000];
|
|
||||||
const uchar *dp;
|
|
||||||
|
|
||||||
@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
|
|
||||||
do {
|
|
||||||
fread (data, 2, 2, ifp);
|
|
||||||
tag = data[0] << 8 | data[1];
|
|
||||||
- len = (data[2] << 8 | data[3]) - 2;
|
|
||||||
- if (tag <= 0xff00) return 0;
|
|
||||||
+ len = (data[2] << 8 | data[3]);
|
|
||||||
+ if (tag <= 0xff00 || len <= 2) return 0;
|
|
||||||
+ len -= 2;
|
|
||||||
fread (data, 1, len, ifp);
|
|
||||||
switch (tag) {
|
|
||||||
case 0xffc3:
|
|
||||||
--
|
|
||||||
2.4.1
|
|
||||||
|
|
15
dcraw.spec
15
dcraw.spec
@ -1,14 +1,12 @@
|
|||||||
Summary: Tool for decoding raw image data from digital cameras
|
Summary: Tool for decoding raw image data from digital cameras
|
||||||
Name: dcraw
|
Name: dcraw
|
||||||
Version: 9.25.0
|
Version: 9.27.0
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Group: Applications/Multimedia
|
Group: Applications/Multimedia
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
URL: http://cybercom.net/~dcoffin/dcraw
|
URL: http://cybercom.net/~dcoffin/dcraw
|
||||||
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
|
Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
|
||||||
Patch0: dcraw-9.25.0-CVE-2013-1438.patch
|
Patch0: dcraw-9.21-lcms2-error-reporting.patch
|
||||||
Patch1: dcraw-9.21-lcms2-error-reporting.patch
|
|
||||||
Patch2: dcraw-9.25.0-CVE-2015-3885.patch
|
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: libjpeg-devel
|
BuildRequires: libjpeg-devel
|
||||||
BuildRequires: lcms2-devel
|
BuildRequires: lcms2-devel
|
||||||
@ -21,9 +19,7 @@ downloaded from digital cameras.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n dcraw
|
%setup -q -n dcraw
|
||||||
%patch0 -p1 -b .CVE-2013-1438
|
%patch0 -p1 -b .lcms2-error-reporting
|
||||||
%patch1 -p1 -b .lcms2-error-reporting
|
|
||||||
%patch2 -p1 -b .CVE-2015-3885
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
gcc %optflags \
|
gcc %optflags \
|
||||||
@ -70,6 +66,9 @@ done
|
|||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 09 2016 Nils Philippsen <nils@redhat.com> - 9.27.0
|
||||||
|
- version 9.27.0
|
||||||
|
|
||||||
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4
|
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 9.25.0-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user