Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dcraw for openSUSE:Factory checked
in at 2022-04-14 17:25:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dcraw (Old)
and /work/SRC/openSUSE:Factory/.dcraw.new.1941 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dcraw"
Thu Apr 14 17:25:04 2022 rev:39 rq:969894 version:9.28.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/dcraw/dcraw.changes 2020-08-28
21:20:59.092313241 +0200
+++ /work/SRC/openSUSE:Factory/.dcraw.new.1941/dcraw.changes 2022-04-14
17:25:38.547275801 +0200
@@ -1,0 +2,16 @@
+Tue Apr 12 11:30:56 UTC 2022 - Fridrich Strba <fst...@suse.com>
+
+- Added patches:
+ * iowrappers.patch
+ + Written wrappers of fread(),fwrite(),fseek() library functions
+ which check their return values. If an input/output failure is
+ detected, dcraw immediately exits with non-zero status and
+ prints a descriptive message (bsc#1097973, CVE-2018-5805;
+ bsc#1097974, CVE-2018-5806; bsc#1117622, CVE-2018-19565;
+ bsc#1117517, CVE-2018-19566; bsc#1117512, CVE-2018-19567;
+ bsc#1117436, CVE-2018-19568)
+ * dcraw-CVE-2021-3624.patch
+ + Bail out if integer overflow happened and the allocated buffer
+ would be too small (bsc#1189642, CVE-2021-3624)
+
+-------------------------------------------------------------------
@@ -15,6 +30,0 @@
-
--------------------------------------------------------------------
-Mon Jul 22 08:18:01 UTC 2019 - mvet...@suse.com
-
-- bsc#1142308: Drop dependency on libjasper
- Thus removing support for decoding RED camera movies
New:
----
dcraw-CVE-2021-3624.patch
iowrappers.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dcraw.spec ++++++
--- /var/tmp/diff_new_pack.24VTS2/_old 2022-04-14 17:25:39.075276418 +0200
+++ /var/tmp/diff_new_pack.24VTS2/_new 2022-04-14 17:25:39.079276423 +0200
@@ -1,7 +1,7 @@
#
# spec file for package dcraw
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -45,7 +45,10 @@
Patch3: dcraw-CVE-2018-19655.patch
# PATCH-FIX-UPSTREAM dcraw-CVE-2018-5801.patch
Patch4: dcraw-CVE-2018-5801.patch
+Patch5: iowrappers.patch
+Patch6: dcraw-CVE-2021-3624.patch
BuildRequires: gettext-runtime
+BuildRequires: libjasper-devel
BuildRequires: libjpeg-devel
BuildRequires: liblcms2-devel
Recommends: %{name}-lang = %{version}
@@ -63,6 +66,8 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
%build
export CFLAGS="%{optflags} -fno-strict-aliasing -fstack-protector-all"
@@ -71,12 +76,12 @@
LDFLAGS=
OTHERFLAGS=
if test $file = dcraw.c ; then
- LDFLAGS="-lm -ljpeg -llcms2 -DLOCALEDIR=\""%{_datadir}/locale"\""
+ LDFLAGS="-lm -ljasper -ljpeg -llcms2 -DLOCALEDIR=\""%{_datadir}/locale"\""
fi
if test $file = fuji_green.c ; then
LDFLAGS="-lm"
fi
- gcc $CFLAGS $OTHERFLAGS -o ${file%.c} $file $LDFLAGS -DNO_JASPER
+ gcc $CFLAGS $OTHERFLAGS -o ${file%.c} $file $LDFLAGS
done
# Compile with -D_16BIT to rotate 48-bit PPM images
gcc $CFLAGS -D_16BIT -o fujiturn16 fujiturn.c
++++++ dcraw-CVE-2021-3624.patch ++++++
--- dcraw/dcraw.c 2022-04-12 14:29:23.791896447 +0200
+++ dcraw/dcraw.c 2022-04-12 14:59:50.767180929 +0200
@@ -3289,7 +3289,13 @@
}
} else if (type == 4) {
free (meta_data);
- meta_data = (char *) malloc (meta_length = wide*high*3/2);
+ meta_data = NULL;
+ meta_length = wide*high*3/2;
+ if (meta_length/wide != high*3/2) {
+ fprintf(stderr, "Potential buffer overflow (meta_length %u, wide %u,
high %u). Bailing out...\n", meta_length, wide, high);
+ longjmp(failure, 2);
+ }
+ meta_data = (char *) malloc (meta_length);
merror (meta_data, "foveon_load_camf()");
foveon_huff (huff);
get4();
++++++ iowrappers.patch ++++++
++++ 2637 lines (skipped)
