diff --git a/0.20.2.tar.gz b/0.20.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..92ad1f64f3fa12faa0368094433a4b1eca6b66a8 Binary files /dev/null and b/0.20.2.tar.gz differ diff --git a/CVE-2018-20337.patch b/CVE-2018-20337.patch deleted file mode 100644 index 8c5754687f4194d1f09beae9005f447e9da7467d..0000000000000000000000000000000000000000 --- a/CVE-2018-20337.patch +++ /dev/null @@ -1,21 +0,0 @@ -From fbf60377c006eaea8d3eca3f5e4c654909dcdfd2 Mon Sep 17 00:00:00 2001 -From: Alex Tutubalin -Date: Wed, 19 Dec 2018 11:15:08 +0300 -Subject: [PATCH] possible buffer overrun in Fuji makernotes parser - ---- - internal/dcraw_common.cpp | 2 +- - -diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp -index 936aebf9..a0cd7226 100644 ---- a/internal/dcraw_common.cpp -+++ b/internal/dcraw_common.cpp -@@ -10345,7 +10345,7 @@ void CLASS parse_makernote(int base, int uptag) - else - year += 1900; - -- ynum_len = (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18; -+ ynum_len = MIN((sizeof(ynum)-1), (int)strnlen(words[i], sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) - 18); - strncpy(ynum, words[i], ynum_len); - ynum[ynum_len] = 0; - for (int j = 0; ynum[j] && ynum[j + 1] && sscanf(ynum + j, "%2x", &c); j += 2) diff --git a/CVE-2018-20363.patch b/CVE-2018-20363.patch deleted file mode 100644 index c5e55d1c9ccef07f2447efa85c8f017a25d2e090..0000000000000000000000000000000000000000 --- a/CVE-2018-20363.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7e29b9f29449fde30cc878fbb137d61c14bba3a4 Mon Sep 17 00:00:00 2001 -From: Alex Tutubalin -Date: Wed, 19 Dec 2018 14:17:51 +0300 -Subject: [PATCH] Possible write to NULL at raw2image - ---- - src/libraw_cxx.cpp | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp -index 1a8a2f25..074d81a4 100644 ---- a/src/libraw_cxx.cpp -+++ b/src/libraw_cxx.cpp -@@ -3346,7 +3346,7 @@ int LibRaw::raw2image(void) - { - raw2image_start(); - -- if (is_phaseone_compressed()) -+ if (is_phaseone_compressed() && imgdata.rawdata.raw_image) - { - phase_one_allocate_tempbuffer(); - int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image); -@@ -3374,7 +3374,7 @@ int LibRaw::raw2image(void) - get_decoder_info(&decoder_info); - - // Move saved bitmap to imgdata.image -- if (imgdata.idata.filters || P1.colors == 1) -+ if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image) - { - if (IO.fuji_width) - { diff --git a/CVE-2018-20364.patch b/CVE-2018-20364.patch deleted file mode 100644 index 689b944a53560f0b4077e3053352ba751603bfe7..0000000000000000000000000000000000000000 --- a/CVE-2018-20364.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7903346bfd5f8c24e5bfd4df48f0e5cd1e7b65cb Mon Sep 17 00:00:00 2001 -From: Alex Tutubalin -Date: Fri, 21 Dec 2018 09:37:05 +0300 -Subject: [PATCH] check for raw_image presence in raw2image_ex - ---- - src/libraw_cxx.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp -index 074d81a4..43aed1cc 100644 ---- a/src/libraw_cxx.cpp -+++ b/src/libraw_cxx.cpp -@@ -3374,7 +3374,8 @@ int LibRaw::raw2image(void) - get_decoder_info(&decoder_info); - - // Move saved bitmap to imgdata.image -- if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image) -+ if ((imgdata.idata.filters || P1.colors == 1) -+ && imgdata.rawdata.raw_image) - { - if (IO.fuji_width) - { -@@ -3638,7 +3639,7 @@ int LibRaw::raw2image_ex(int do_subtract_black) - raw2image_start(); - - // Compressed P1 files with bl data! -- if (is_phaseone_compressed()) -+ if (is_phaseone_compressed() && imgdata.rawdata.raw_image) - { - phase_one_allocate_tempbuffer(); - int rc = phase_one_subtract_black((ushort *)imgdata.rawdata.raw_alloc, imgdata.rawdata.raw_image); -@@ -3745,7 +3746,7 @@ int LibRaw::raw2image_ex(int do_subtract_black) - } - - // Move saved bitmap to imgdata.image -- if (imgdata.idata.filters || P1.colors == 1) -+ if ((imgdata.idata.filters || P1.colors == 1) && imgdata.rawdata.raw_image) - { - if (IO.fuji_width) - { diff --git a/CVE-2018-20365.patch b/CVE-2018-20365.patch deleted file mode 100644 index cbe1985db063eb5f638a3ac16a63424d9ac0bdf6..0000000000000000000000000000000000000000 --- a/CVE-2018-20365.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 561ec9a7fb5ec694104a22b7b6cd820bfa449784 Mon Sep 17 00:00:00 2001 -From: Alex Tutubalin -Date: Thu, 10 Jan 2019 09:22:39 +0300 -Subject: [PATCH] Sinar 4shot: zero filters for multi-shot images - ---- - internal/dcraw_common.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp -index 29cc72f..1ca70cf 100644 ---- a/internal/dcraw_common.cpp -+++ b/internal/dcraw_common.cpp -@@ -18969,10 +18969,15 @@ void CLASS identify() - { - if (!load_raw) - load_raw = &CLASS unpacked_load_raw; -- if (is_raw > 1 && !shot_select && !half_size) -+ if (is_raw > 1 && !shot_select) - filters = 0; - maximum = 0x3fff; - } -+ else if(load_raw == &LibRaw::sinar_4shot_load_raw) -+ { -+ if (is_raw > 1 && !shot_select) -+ filters = 0; -+ } - else if (!strncmp(make, "Leaf", 4)) - { - maximum = 0x3fff; --- -2.23.0 - diff --git a/LibRaw-0.17.1-CVE-2015-8366-8367.patch b/LibRaw-0.17.1-CVE-2015-8366-8367.patch deleted file mode 100644 index b8848de0f59bd2f872dbb50aeec4117acf9b68e1..0000000000000000000000000000000000000000 --- a/LibRaw-0.17.1-CVE-2015-8366-8367.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -r -U3 LibRaw-0.17.1.orig/dcraw/dcraw.c LibRaw-0.17.1/dcraw/dcraw.c ---- LibRaw-0.17.1.orig/dcraw/dcraw.c 2015-05-24 21:30:26.000000000 -0500 -+++ LibRaw-0.17.1/dcraw/dcraw.c 2015-12-01 07:47:00.086513959 -0600 -@@ -2901,6 +2901,10 @@ - diff = diff ? -diff : 0x80; - if (ftell(ifp) + 12 >= seg[1][1]) - diff = 0; -+#ifdef LIBRAW_LIBRARY_BUILD -+ if(pix>=raw_width*raw_height) -+ throw LIBRAW_EXCEPTION_IO_CORRUPT; -+#endif - raw_image[pix] = pred[pix & 1] += diff; - if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; - } diff --git a/LibRaw-0.19.0.tar.gz b/LibRaw-0.19.0.tar.gz deleted file mode 100644 index 4655fc41cd8ba2df9f3f30339044433f5d1a1349..0000000000000000000000000000000000000000 Binary files a/LibRaw-0.19.0.tar.gz and /dev/null differ diff --git a/LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch b/LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch deleted file mode 100644 index eb07877a6926da6789ef8474fe39362969be8d37..0000000000000000000000000000000000000000 --- a/LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch +++ /dev/null @@ -1,74 +0,0 @@ -From e67a9862d10ebaa97712f532eca1eb5e2e410a22 Mon Sep 17 00:00:00 2001 -From: Alex Tutubalin -Date: Thu, 22 Nov 2018 16:24:54 +0300 -Subject: [PATCH] Fixed Secunia Advisory SA86384 - possible infinite loop - in unpacked_load_raw() - possible infinite loop in parse_rollei() - - possible infinite loop in parse_sinar_ia() - - Credits: Laurent Delosieres, Secunia Research at Flexera ---- - dcraw/dcraw.c | 4 +++- - internal/dcraw_common.cpp | 4 +++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c -index c71874c..a78e67a 100644 ---- a/dcraw/dcraw.c -+++ b/dcraw/dcraw.c -@@ -6592,7 +6592,7 @@ void CLASS parse_rollei() - fseek (ifp, 0, SEEK_SET); - memset (&t, 0, sizeof t); - do { -- fgets (line, 128, ifp); -+ if(!fgets(line, 128, ifp)) break; - if ((val = strchr(line,'='))) - *val++ = 0; - else -@@ -6630,6 +6630,7 @@ void CLASS parse_sinar_ia() - order = 0x4949; - fseek (ifp, 4, SEEK_SET); - entries = get4(); -+ if(entries < 1 || entries > 8192) return; - fseek (ifp, get4(), SEEK_SET); - while (entries--) { - off = get4(); get4(); -@@ -9621,6 +9622,7 @@ dng_skip: - } - if (!tiff_bps) tiff_bps = 12; - if (!maximum) maximum = (1 << tiff_bps) - 1; -+ if(maximum > 0xffff) maximum = 0xffff; - if (!load_raw || height < 22 || width < 22 || - tiff_bps > 16 || tiff_samples > 6 || colors > 4) - is_raw = 0; -diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp -index 29cc72f..a8a8e0f 100644 ---- a/internal/dcraw_common.cpp -+++ b/internal/dcraw_common.cpp -@@ -14851,7 +14851,7 @@ void CLASS parse_rollei() - memset(&t, 0, sizeof t); - do - { -- fgets(line, 128, ifp); -+ if(!fgets(line, 128, ifp)) break; - if ((val = strchr(line, '='))) - *val++ = 0; - else -@@ -14889,6 +14889,7 @@ void CLASS parse_sinar_ia() - order = 0x4949; - fseek(ifp, 4, SEEK_SET); - entries = get4(); -+ if(entries < 1 || entries > 8192) return; - fseek(ifp, get4(), SEEK_SET); - while (entries--) - { -@@ -19732,6 +19733,7 @@ dng_skip: - if (maximum < 0x10000 && curve[maximum] > 0 && load_raw == &CLASS sony_arw2_load_raw) - maximum = curve[maximum]; - } -+ if(maximum > 0xffff) maximum = 0xffff; - if (!load_raw || height < 22 || width < 22 || - #ifdef LIBRAW_LIBRARY_BUILD - (tiff_bps > 16 && load_raw != &LibRaw::deflate_dng_load_raw) --- -1.8.3.1 - diff --git a/LibRaw.spec b/LibRaw.spec index d82e81e8e9205a3324b38001559e9c618f4953a9..7a2fda8dfd82fec496861415be4e46a7064542ec 100644 --- a/LibRaw.spec +++ b/LibRaw.spec @@ -1,17 +1,13 @@ Name: LibRaw -Version: 0.19.0 -Release: 10 +Version: 0.20.2 +Release: 1 Summary: Library for reading RAW files obtained from digital photo cameras License: BSD and (CDDL or LGPLv2) URL: http://www.libraw.org -Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz -Patch0002: LibRaw-0.17.1-CVE-2015-8366-8367.patch -Patch6000: LibRaw-0.19.2-CVE-2018-5817,5818,5819.patch -Patch6001: CVE-2018-20337.patch -Patch6002: CVE-2018-20363.patch -Patch6003: CVE-2018-20364.patch -Patch6004: CVE-2018-20365.patch +Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz +Patch0000: prevent-buffer-overrun-in-parse_rollei.patch BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg) +BuildRequires: autoconf automake libtool Provides: bundled(dcraw) = 9.25 %description LibRaw is a library for reading RAW files from digital photo cameras (CRW/CR2, NEF, @@ -34,6 +30,7 @@ The LibRaw-devel package contains development and header files. %autosetup -n %{name}-%{version} -p1 %build +autoreconf -if %configure --enable-examples=yes --disable-jasper --enable-jpeg \ --enable-lcms --enable-openmp @@ -57,7 +54,7 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o %files %doc Changelog.txt %license LICENSE.CDDL LICENSE.LGPL COPYRIGHT -%{_libdir}/{libraw,libraw_r}.so.19* +%{_libdir}/{libraw,libraw_r}.so.20* %files devel %doc manual samples @@ -69,6 +66,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o %exclude %{_docdir}/libraw/* %changelog +* Tue Dec 1 2020 zhanghua - 0.20.2-1 +- update to 0.20.2 and fix stack buffer overflow in parse_rollei + * Wed Sep 16 2020 zhanghua - 0.19.0-10 - Fix CVE-2018-20363, CVE-2018-20364, CVE-2018-20365 diff --git a/prevent-buffer-overrun-in-parse_rollei.patch b/prevent-buffer-overrun-in-parse_rollei.patch new file mode 100644 index 0000000000000000000000000000000000000000..93e00284de2959ded4d81b15305a28b16af64e55 --- /dev/null +++ b/prevent-buffer-overrun-in-parse_rollei.patch @@ -0,0 +1,21 @@ +From 539d07dcaa64aed706c5bb4ada7213e3e1cd07d6 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Mon, 30 Nov 2020 13:13:19 +0300 +Subject: [PATCH] prevent buffer overrun in parse_rollei + +--- + src/metadata/misc_parsers.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/metadata/misc_parsers.cpp b/src/metadata/misc_parsers.cpp +index 7a74c9f1..4e36e940 100644 +--- a/src/metadata/misc_parsers.cpp ++++ b/src/metadata/misc_parsers.cpp +@@ -304,6 +304,7 @@ void LibRaw::parse_rollei() + line[0] = 0; + if (!fgets(line, 128, ifp)) + break; ++ line[127] = 0; + if(!line[0]) break; // zero-length + if ((val = strchr(line, '='))) + *val++ = 0;