Bug#788242: wheezy-pu: package rawtherapee/4.0.9-4

Tue, 09 Jun 2015 10:54:52 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

rawtherapee is affected by the security issue CVE-2015-3885. It's marked no-dsa
that's why I want to coordinate the update with you.

I attached the debdiff.

Best,
Philip

diff -Nru rawtherapee-4.0.9/debian/changelog rawtherapee-4.0.9/debian/changelog
--- rawtherapee-4.0.9/debian/changelog	2012-11-19 21:11:56.000000000 +0100
+++ rawtherapee-4.0.9/debian/changelog	2015-05-16 19:12:58.000000000 +0200
@@ -1,3 +1,10 @@
+rawtherapee (4.0.9-4+deb7u1) wheezy-security; urgency=high
+
+  * Add patch debian/patches/04-fix_CVE-2015-3885.patch:
+    - Fix dcraw imput sanitization errors (CVE-2015-3885)
+
+ -- Philip Rinn <ri...@inventati.org>  Thu, 15 May 2015 19:12:20 +0200
+
 rawtherapee (4.0.9-4) unstable; urgency=low
 
   * Fix RC bug that corrupts EXIF data in some cases (closes: #693736):
diff -Nru rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch
--- rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch	1970-01-01 01:00:00.000000000 +0100
+++ rawtherapee-4.0.9/debian/patches/04-fix_CVE-2015-3885.patch	2015-05-16 19:20:36.000000000 +0200
@@ -0,0 +1,24 @@
+--- a/rtengine/dcraw.c
++++ b/rtengine/dcraw.c
+@@ -787,7 +787,8 @@
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+--- a/rtengine/dcraw.cc
++++ b/rtengine/dcraw.cc
+@@ -798,7 +798,8 @@
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
diff -Nru rawtherapee-4.0.9/debian/patches/series rawtherapee-4.0.9/debian/patches/series
--- rawtherapee-4.0.9/debian/patches/series	2012-11-19 19:37:03.000000000 +0100
+++ rawtherapee-4.0.9/debian/patches/series	2015-05-14 18:06:49.000000000 +0200
@@ -1,3 +1,4 @@
 01-AboutThisBuild.patch
 02-fix_color_artifacts.patch
 03-fix_exif_corruption.patch
+04-fix_CVE-2015-3885.patch

Reply via email to