diff --git a/dcraw-9.25.0-CVE-2015-3885.patch b/dcraw-9.25.0-CVE-2015-3885.patch new file mode 100644 index 0000000..502e69a --- /dev/null +++ b/dcraw-9.25.0-CVE-2015-3885.patch @@ -0,0 +1,44 @@ +From 2142684a57224b0093d5cb29de0eed48b32e4452 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen +Date: Tue, 19 May 2015 11:36:57 +0200 +Subject: [PATCH] CVE-2015-3885: avoid overflowing array + +When reading raw image files containing lossless JPEG data, headers +could be manipulated to make the signed int variable 'len' negative +which specifies how much actual data follows. Interpreted as unsigned, +this could lead to reading file data past the 64k boundary of the array +used for storing it. To avoid that, make 'len' unsigned short, and bail +out early if its value would become invalid (i.e. <= 0). +--- + dcraw.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/dcraw.c b/dcraw.c +index cc7f764..532840d 100644 +--- a/dcraw.c ++++ b/dcraw.c +@@ -824,7 +824,8 @@ struct jhead { + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + +@@ -835,8 +836,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only) + do { + fread (data, 2, 2, ifp); + tag = data[0] << 8 | data[1]; +- len = (data[2] << 8 | data[3]) - 2; +- if (tag <= 0xff00) return 0; ++ len = (data[2] << 8 | data[3]); ++ if (tag <= 0xff00 || len <= 2) return 0; ++ len -= 2; + fread (data, 1, len, ifp); + switch (tag) { + case 0xffc3: +-- +2.4.1 + diff --git a/dcraw.spec b/dcraw.spec index e5180f8..36cad37 100644 --- a/dcraw.spec +++ b/dcraw.spec @@ -8,6 +8,7 @@ URL: http://cybercom.net/~dcoffin/dcraw Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz Patch0: dcraw-9.25.0-CVE-2013-1438.patch Patch1: dcraw-9.21-lcms2-error-reporting.patch +Patch2: dcraw-9.25.0-CVE-2015-3885.patch BuildRequires: gettext BuildRequires: libjpeg-devel BuildRequires: lcms2-devel @@ -22,6 +23,7 @@ downloaded from digital cameras. %setup -q -n dcraw %patch0 -p1 -b .CVE-2013-1438 %patch1 -p1 -b .lcms2-error-reporting +%patch2 -p1 -b .CVE-2015-3885 %build gcc %optflags \ @@ -75,6 +77,8 @@ rm -rf %buildroot * Wed May 20 2015 Nils Philippsen - 9.25.0-1 - version 9.25.0 - remove unnecessary check from CVE-2013-1438 patch +- avoid writing past array boundaries when reading certain raw formats + (CVE-2015-3885) * Wed Apr 08 2015 Nils Philippsen - 9.24.4-1 - version 9.24.4