commit: 35c276a51e96fd25c976d70a762e76dd2e048331 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Sun Sep 15 23:34:26 2019 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Sun Sep 15 23:46:26 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35c276a5
media-gfx/ufraw: Fix CVE-2015-8366 and CVE-2018-19655 Thanks to openSUSE for the patches. Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> .../ufraw/files/ufraw-0.22-CVE-2015-8366.patch | 17 +++++++++ .../ufraw/files/ufraw-0.22-CVE-2018-19655.patch | 44 ++++++++++++++++++++++ media-gfx/ufraw/ufraw-0.22-r3.ebuild | 2 + 3 files changed, 63 insertions(+) diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch new file mode 100644 index 00000000000..9d59ca413fb --- /dev/null +++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch @@ -0,0 +1,17 @@ +Fix a buffer overflow bug. See +https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 + +--- a/dcraw.cc ++++ b/dcraw.cc +@@ -3013,7 +3013,10 @@ + diff = diff ? -diff : 0x80; + if (ftell(ifp) + 12 >= (int) seg[1][1]) + diff = 0; +- raw_image[pix] = pred[pix & 1] += diff; ++ if(pix>=raw_width*raw_height) ++ derror(); ++ else ++ raw_image[pix] = pred[pix & 1] += diff; + if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; + } + maximum = 0xff; diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch new file mode 100644 index 00000000000..78b46b4452e --- /dev/null +++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch @@ -0,0 +1,44 @@ +Description: stack-based buffer overflow bug +Bug-Debian: https://bugs.debian.org/890086 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19655 +Author: Filip Hroch <hr...@physics.muni.cz> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2018-12-02 + +--- a/dcraw.cc ++++ b/dcraw.cc +@@ -8505,9 +8505,15 @@ float CLASS find_green (int bps, int bit + { + UINT64 bitbuf=0; + int vbits, col, i, c; +- ushort img[2][2064]; ++ ushort *img; + double sum[]={0,0}; + ++#define IMG2D(row,col) \ ++ img[(row)*width+(col)] ++ ++ img = (ushort *) malloc(2*width*sizeof(ushort)); ++ merror (img, "find_green()"); ++ + FORC(2) { + fseek (ifp, c ? off1:off0, SEEK_SET); + for (vbits=col=0; col < width; col++) { +@@ -8516,13 +8522,14 @@ float CLASS find_green (int bps, int bit + for (i=0; i < bite; i+=8) + bitbuf |= (unsigned) (fgetc(ifp) << i); + } +- img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); ++ IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps); + } + } + FORC(width-1) { +- sum[ c & 1] += ABS(img[0][c]-img[1][c+1]); +- sum[~c & 1] += ABS(img[1][c]-img[0][c+1]); ++ sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1)); ++ sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1)); + } ++ free(img); + return 100 * log(sum[0]/sum[1]); + } + diff --git a/media-gfx/ufraw/ufraw-0.22-r3.ebuild b/media-gfx/ufraw/ufraw-0.22-r3.ebuild index b43d97d6022..f3126840467 100644 --- a/media-gfx/ufraw/ufraw-0.22-r3.ebuild +++ b/media-gfx/ufraw/ufraw-0.22-r3.ebuild @@ -44,6 +44,8 @@ PATCHES=( "${FILESDIR}"/${P}-jpeg9.patch "${FILESDIR}"/${P}-exiv2-0.27.patch "${FILESDIR}"/${P}-gcc9.patch + "${FILESDIR}"/${P}-CVE-2015-8366.patch + "${FILESDIR}"/${P}-CVE-2018-19655.patch ) src_prepare() {
