6 changed files with 126 additions and 9 deletions
--- a/.dcraw.metadata
+++ b/.dcraw.metadata
@ -1 +1 @@
-d9fd2ee5596a02d3dff792dd377a32b768752a4d SOURCES/dcraw-9.27.0.tar.gz
+321662c99c0201f4886b61817cdedfc850cc7b3b SOURCES/dcraw-9.28.0.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/dcraw-9.27.0.tar.gz
+SOURCES/dcraw-9.28.0.tar.gz
--- a/SOURCES/dcraw-CVE-2017-13735.patch
+++ b/SOURCES/dcraw-CVE-2017-13735.patch
@ -0,0 +1,14 @@
+diff -urNp old/dcraw.c new/dcraw.c
+--- old/dcraw.c	2018-07-11 10:33:06.280425391 +0200
+++ new/dcraw.c	2018-07-11 10:45:52.722922118 +0200
+@@ -2250,6 +2250,10 @@ void CLASS kodak_radc_load_raw()
+     ((short *)buf)[i] = 2048;
+   for (row=0; row < height; row+=4) {
+     FORC3 mul[c] = getbits(6);
+#ifdef LIBRAW_LIBRARY_BUILD
+    if(!mul[0] || !mul[1] || !mul[2])
+      throw LIBRAW_EXCEPTION_IO_CORRUPT;
+#endif
+     FORC3 {
+       val = ((0x1000000/last[c] + 0x7ff) >> 12) * mul[c];
+       s = val > 65564 ? 10:12;
--- a/SOURCES/dcraw-CVE-2017-14608.patch
+++ b/SOURCES/dcraw-CVE-2017-14608.patch
@ -0,0 +1,21 @@
+diff -urNp old/dcraw.c new/dcraw.c
+--- old/dcraw.c	2018-07-11 10:53:51.141803505 +0200
+++ new/dcraw.c	2018-07-11 11:30:08.850528389 +0200
+@@ -2627,8 +2627,15 @@ void CLASS kodak_65000_load_raw()
+       len = MIN (256, width-col);
+       ret = kodak_65000_decode (buf, len);
+       for (i=0; i < len; i++)
+-	if ((RAW(row,col+i) =	curve[ret ? buf[i] :
+-		(pred[i & 1] += buf[i])]) >> 12) derror();
+	{
+	int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
+	if(idx >=0 && idx <= 0xffff)
+	 {
+	   if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
+         }
+	 else
+	   derror();
+      }	
+     }
+ }
+ 
--- a/SOURCES/dcraw-CVE-2018-19655.patch
+++ b/SOURCES/dcraw-CVE-2018-19655.patch
@ -0,0 +1,39 @@
+Author: Filip Hroch <hroch@physics.muni.cz>
+Description: stack-based buffer overflow bug
+--- a/dcraw.c
+++ b/dcraw.c
+@@ -8345,9 +8345,15 @@
+ {
+   UINT64 bitbuf=0;
+   int vbits, col, i, c;
+-  ushort img[2][2064];
+  ushort *img;
+   double sum[]={0,0};
+ 
+#define IMG2D(row,col) \
+  img[(row)*width+(col)]
+
+  img = (ushort *) malloc(2*width*sizeof(ushort));
+  merror (img, "find_green()");
+
+   FORC(2) {
+     fseek (ifp, c ? off1:off0, SEEK_SET);
+     for (vbits=col=0; col < width; col++) {
+@@ -8356,13 +8362,14 @@
+ 	for (i=0; i < bite; i+=8)
+ 	  bitbuf |= (unsigned) (fgetc(ifp) << i);
+       }
+-      img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
+      IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
+     }
+   }
+   FORC(width-1) {
+-    sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
+-    sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
+    sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
+    sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
+   }
+  free(img);
+   return 100 * log(sum[0]/sum[1]);
+ }
+ 
--- a/SPECS/dcraw.spec
+++ b/SPECS/dcraw.spec
@ -1,12 +1,15 @@
 Summary: Tool for decoding raw image data from digital cameras
 Name: dcraw
-Version: 9.27.0
-Release: 9%{?dist}
+Version: 9.28.0
+Release: 13%{?dist}
 License: GPLv2+
-URL: http://cybercom.net/~dcoffin/dcraw
-Source0: http://cybercom.net/~dcoffin/dcraw/archive/dcraw-%{version}.tar.gz
+URL: http://www.dechifro.org/dcraw/
+Source0: http://www.dechifro.org/dcraw/archive/dcraw-%{version}.tar.gz
 Patch0: dcraw-9.21-lcms2-error-reporting.patch
 Patch1: dcraw-CVE-2018-5801.patch
+Patch2: dcraw-CVE-2017-13735.patch
+Patch3: dcraw-CVE-2017-14608.patch
+Patch4: dcraw-CVE-2018-19655.patch
 BuildRequires: gcc
 BuildRequires: gettext
 BuildRequires: libjpeg-devel
@ -22,7 +25,8 @@ downloaded from digital cameras.
 %autosetup -n dcraw

 %build
-gcc %optflags $RPM_LD_FLAGS \
+%{__cc} %optflags $RPM_LD_FLAGS \
+    -Wl,--no-as-needed \
    -lm -ljpeg -llcms2 -ljasper \
    -DLOCALEDIR="\"%{_datadir}/locale\"" \
    -o dcraw dcraw.c
@ -65,8 +69,47 @@ done
 %{_mandir}/man1/*

 %changelog
-* Thu Jul 14 2018 Josef Ridky <jridky@redhat.com> - 9.27.0-9
- Fix CVE-2018-5801 (#1557165) and CVE-2018-5802 (#1557184)
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 9.28.0-13
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 9.28.0-12
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Mar 20 2020 Josef Ridky <jridky@redhat.com> - 9.28.0-9
+- Fix CVE-2018-19655
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 14 2020 Tom Stellard <tstellar@redhat.com> - 9.28.0-7
+- Use __cc macro instead of hard-coding gcc
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jun 28 2019 Josef Ridky <jridky@redhat.com> - 9.28.0-5
+- set new upstream url
+
+* Thu Feb 21 2019 Josef Ridky <jridky@redhat.com> - 9.28.0-4
+- Fix CVE-2017-13735 (#1488932)
+- Fix CVE-2017-14608 (#1499687)
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 9.28.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 14 2018 Josef Ridky <jridky@redhat.com> - 9.28.0-1
+- New upstream release 9.28.0 (#1585348)
+- Fix CVE-2018-5801 (#1557160)

 * Fri Feb 23 2018 Florian Weimer <fweimer@redhat.com> - 9.27.0-8
 - Use LDFLAGS from redhat-rpm-config