subject:"Bug#838882\: jessie\-pu\: package darktable\/1.4.2\-1\+b3"

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

2016-10-03 Thread Adam D. Barratt

Control: tags -1 + pending

On Sat, 2016-10-01 at 18:17 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-09-25 at 22:01 -0300, David Bremner wrote:
> > This update would fix CVE-2015-3885 / #786792 in stable.  The CVE has
> > previously been classified as not severe enough for a DSA.
> 
> +The fix is not tested.
> 
> is so inspiring.
> 
> Please go ahead, heeding lintian's advice.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

2016-10-01 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2016-09-25 at 22:01 -0300, David Bremner wrote:
> This update would fix CVE-2015-3885 / #786792 in stable.  The CVE has
> previously been classified as not severe enough for a DSA.

+The fix is not tested.

is so inspiring.

Please go ahead, heeding lintian's advice.

Regards,

Adam

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

2016-09-25 Thread David Bremner

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This update would fix CVE-2015-3885 / #786792 in stable.  The CVE has
previously been classified as not severe enough for a DSA.

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQGcBAEBCAAGBQJX6HNlAAoJEPIClx2kp54sPD8L/RpiaGuf3Qn6Wy7RZboY+5Wp
2m1TKjYzdWUTm46yldmiSuMrvsy39rUR//c+KkJGTAqbCXus5V1sXgFiSGRxiiVt
rMWJd2F3JjdBWbU8uFVTFNj7ihSkV2B6g37tlySbUQaBNZY5y3EkTfMKEo6hL/M+
js/wNIRJkK5+fwIAKyo1kPQR6D3VGps4EJt1xOAoxGC62j3v0J0efgGsuSxVCZNQ
RUqkrkIt3YRgUMrZGJlmLeezOfHI9k3E/1mLKbgqkP+tVF2bMgINbQWvBgDDJsPy
y7As5Pi0I741ekBKfhTx9zrUaXpA2+qu8tEsKJDrSLxsEnAeRGEN2OCtBcHUiLwK
TLRH4Ktq+jVgES3y5eCie3EGCIQTHUxIVeZyQJcFyOlF3z5fepXdIiG2VmPnMsCI
nMkqq3wsgr5rIYovfOCALONmOnV+9DcAsmE7E38WlG7u+79pBbrLY8lSdNx0dNzK
5QuFUQ8pC2qapF3BpufFAGikTiYl3VvyBNSGAvKjoA==
=dFI8
-END PGP SIGNATURE-
diff -Nru darktable-1.4.2/debian/changelog darktable-1.4.2/debian/changelog
--- darktable-1.4.2/debian/changelog	2014-05-04 00:43:43.0 -0300
+++ darktable-1.4.2/debian/changelog	2016-09-25 21:51:51.0 -0300
@@ -1,3 +1,10 @@
+darktable (1.4.2-1+deb8u1) stable; urgency=medium
+
+  * Cherry pick upstream commit 0f809ca5048. Fix for CVE-2015-3885
+(Closes #786792)
+
+ -- David Bremner   Sun, 25 Sep 2016 21:49:23 -0300
+
 darktable (1.4.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch
--- darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch	1969-12-31 20:00:00.0 -0400
+++ darktable-1.4.2/debian/patches/0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch	2016-09-25 21:52:29.0 -0300
@@ -0,0 +1,40 @@
+From b2c17dd163bea76f4817ad726a1e874206969dc1 Mon Sep 17 00:00:00 2001
+From: Roman Lebedev 
+Date: Fri, 22 May 2015 13:18:48 +0300
+Subject: [PATCH] LibRaw: address CVE-2015-3885: fix integer overflow in
+ ljpeg_start()
+
+The fix is not tested.
+Based on ufraw.
+
+(cherry picked from commit 0f809ca5048c71080437da543aefbfde65ebf10a)
+---
+ src/external/LibRaw/internal/dcraw_common.cpp | 8 +---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/external/LibRaw/internal/dcraw_common.cpp b/src/external/LibRaw/internal/dcraw_common.cpp
+index 948ef3f..982ecd7 100644
+--- a/src/external/LibRaw/internal/dcraw_common.cpp
 b/src/external/LibRaw/internal/dcraw_common.cpp
+@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x1];
+   const uchar *dp;
+ 
+@@ -641,8 +642,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+ fread (data, 2, 2, ifp);
+ tag =  data[0] << 8 | data[1];
+-len = (data[2] << 8 | data[3]) - 2;
+-if (tag <= 0xff00) return 0;
++len = (data[2] << 8 | data[3]);
++if (tag <= 0xff00 || len <= 2) return 0;
++len -= 2;
+ fread (data, 1, len, ifp);
+ switch (tag) {
+   case 0xffc3:
diff -Nru darktable-1.4.2/debian/patches/series darktable-1.4.2/debian/patches/series
--- darktable-1.4.2/debian/patches/series	1969-12-31 20:00:00.0 -0400
+++ darktable-1.4.2/debian/patches/series	2016-09-25 21:52:29.0 -0300
@@ -0,0 +1,2 @@
+# exported from git by git-debcherry
+0001-LibRaw-address-CVE-2015-3885-fix-integer-overflow-in.patch

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

Bug#838882: jessie-pu: package darktable/1.4.2-1+b3

3 matches

Site Navigation

Mail list logo

Footer information