[SCM] libkdcraw packaging branch, master, updated. debian/4.10.5-1-2-g2dc2efe
Lisandro Damián Nicanor Pérez
lisandro at alioth.debian.org
Tue Oct 1 17:36:49 UTC 2013
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-sc/libkdcraw.git;a=commitdiff;h=2dc2efe
The following commit has been merged in the master branch:
commit 2dc2efe7e011fb2ed49f80e295360c46dcbfd349
Author: Lisandro Damián Nicanor Pérez Meyer <perezmeyer at gmail.com>
Date: Tue Oct 1 14:36:09 2013 -0300
Add libkdcraw_CVE-2013-143x.diff to fix multiple vulnerabilities
(Closes: #721239, #721340).
CVE-2013-1438.
CVE-2013-1439.
---
debian/changelog | 6 +
debian/patches/libkdcraw_CVE-2013-143x.diff | 210 +++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 217 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 091f6d6..de34ae9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,11 @@
libkdcraw (4:4.10.5-2) UNRELEASED; urgency=low
+ [ Lisandro Damián Nicanor Pérez Meyer ]
+ * Add libkdcraw_CVE-2013-143x.diff to fix multiple vulnerabilities
+ (Closes: #721239, #721340).
+ - CVE-2013-1438.
+ - CVE-2013-1439.
+
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Tue, 01 Oct 2013 14:30:05 -0300
libkdcraw (4:4.10.5-1) unstable; urgency=low
diff --git a/debian/patches/libkdcraw_CVE-2013-143x.diff b/debian/patches/libkdcraw_CVE-2013-143x.diff
new file mode 100644
index 0000000..4ec04f7
--- /dev/null
+++ b/debian/patches/libkdcraw_CVE-2013-143x.diff
@@ -0,0 +1,210 @@
+Description: fix denial of service via crafted photo files
+Origin: backport, https://github.com/LibRaw/LibRaw/commit/c4e374ea6c979a7d1d968f5082b7d0ea8cd27202
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721338
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721239
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721340
+
+Index: libkdcraw-4.10.2/libraw/internal/dcraw_common.cpp
+===================================================================
+--- libkdcraw-4.10.2.orig/libraw/internal/dcraw_common.cpp 2013-10-01 01:33:56.779280640 -0400
++++ libkdcraw-4.10.2/libraw/internal/dcraw_common.cpp 2013-10-01 01:34:42.691282426 -0400
+@@ -606,7 +606,10 @@
+ int CLASS ljpeg_diff (ushort *huff)
+ {
+ int len, diff;
+-
++#ifdef LIBRAW_LIBRARY_BUILD
++ if(!huff)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+ len = gethuff(huff);
+ if (len == 16 && (!dng_version || dng_version >= 0x1010000))
+ return -32768;
+@@ -620,6 +623,8 @@
+ int CLASS ljpeg_diff_new (LibRaw_bit_buffer& bits, LibRaw_byte_buffer* buf,ushort *huff)
+ {
+ int len, diff;
++ if(!huff || !buf)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
+
+ len = bits._gethuff_lj(buf,*huff,huff+1);
+ if (len == 16 && (!dng_version || dng_version >= 0x1010000))
+@@ -755,6 +760,10 @@
+
+
+ if (!ljpeg_start (&jh, 0)) return;
++#ifdef LIBRAW_LIBRARY_BUILD
++ if(jh.wide<1 || jh.high<1 || jh.clrs<1 || jh.bits <1)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+ jwide = jh.wide * jh.clrs;
+
+ #ifdef LIBRAW_LIBRARY_BUILD
+@@ -768,18 +777,25 @@
+ {
+ // not sliced
+ slicesW[slicesWcnt++] = raw_width; // safe fallback
++
++
+ }
+-
+- slices = slicesWcnt * jh.high;
+- offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
+
+- for(slice=0;slice<slices;slice++)
+- {
+- offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
+- if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
+- throw LIBRAW_EXCEPTION_IO_BADFILE;
+- t_y++;
+- if(t_y == jh.high)
++ slices = slicesWcnt * jh.high;
++ if(!slices)
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++ offset = (unsigned*)calloc(slices+1,sizeof(offset[0]));
++
++ for(slice=0;slice<slices;slice++)
++ {
++ offset[slice] = (t_x + t_y * raw_width)| (t_s<<28);
++ if((offset[slice] & 0x0fffffff) >= raw_width * raw_height)
++ {
++ free(offset);
++ throw LIBRAW_EXCEPTION_IO_BADFILE;
++ }
++ t_y++;
++ if(t_y == jh.high)
+ {
+ t_y = 0;
+ t_x += slicesW[t_s++];
+@@ -830,12 +846,28 @@
+ pixno++;
+ if (0 == --pixelsInSlice)
+ {
++ if(slice > slices)
++ {
++ free(offset);
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++ }
+ unsigned o = offset[slice++];
+ pixno = o & 0x0fffffff;
+ pixelsInSlice = slicesW[o>>28];
+ }
+ }
+ #endif
++
++ if(row>raw_height)
++#ifdef LIBRAW_LIBRARY_BUILD
++ {
++ free(offset);
++ throw LIBRAW_EXCEPTION_IO_CORRUPT;
++ }
++#else
++ longjmp (failure, 3);
++#endif
++
+ if (raw_width == 3984 && (col -= 2) < 0)
+ col += (row--,raw_width);
+ if (row >= 0) RAW(row,col) = val;
+@@ -5173,6 +5205,7 @@
+ data_offset = get4()+base;
+ ifd++; break;
+ }
++ if(len > 1000) len=1000; /* 1000 SubIFDs is enough */
+ while (len--) {
+ i = ftell(ifp);
+ fseek (ifp, get4()+base, SEEK_SET);
+@@ -5386,7 +5419,7 @@
+ break;
+ case 50715: /* BlackLevelDeltaH */
+ case 50716: /* BlackLevelDeltaV */
+- for (num=i=0; i < len; i++)
++ for (num=i=0; i < len && i < 65536; i++)
+ num += getreal(type);
+ black += num/len + 0.5;
+ break;
+@@ -5519,9 +5552,12 @@
+ if (thumb_offset) {
+ fseek (ifp, thumb_offset, SEEK_SET);
+ if (ljpeg_start (&jh, 1)) {
+- thumb_misc = jh.bits;
+- thumb_width = jh.wide;
+- thumb_height = jh.high;
++ if((unsigned)jh.bits<17 && (unsigned)jh.wide < 0x10000 && (unsigned)jh.high < 0x10000)
++ {
++ thumb_misc = jh.bits;
++ thumb_width = jh.wide;
++ thumb_height = jh.high;
++ }
+ }
+ }
+ for (i=0; i < tiff_nifds; i++) {
+@@ -5529,7 +5565,8 @@
+ max_samp = tiff_ifd[i].samples;
+ if (max_samp > 3) max_samp = 3;
+ if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
+- (tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++ (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
+ tiff_ifd[i].t_width*tiff_ifd[i].t_height > raw_width*raw_height) {
+ raw_width = tiff_ifd[i].t_width;
+ raw_height = tiff_ifd[i].t_height;
+@@ -5606,17 +5643,19 @@
+ !strstr(model2,"DEBUG RAW")))
+ is_raw = 0;
+ for (i=0; i < tiff_nifds; i++)
+- if (i != raw && tiff_ifd[i].samples == max_samp &&
+- tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
+- thumb_width * thumb_height / SQR(thumb_misc+1)
+- && tiff_ifd[i].comp != 34892) {
+- thumb_width = tiff_ifd[i].t_width;
+- thumb_height = tiff_ifd[i].t_height;
+- thumb_offset = tiff_ifd[i].offset;
+- thumb_length = tiff_ifd[i].bytes;
+- thumb_misc = tiff_ifd[i].bps;
+- thm = i;
+- }
++ if (i != raw && tiff_ifd[i].samples == max_samp &&
++ tiff_ifd[i].bps>0 && tiff_ifd[i].bps < 33 &&
++ unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
++ tiff_ifd[i].t_width * tiff_ifd[i].t_height / SQR(tiff_ifd[i].bps+1) >
++ thumb_width * thumb_height / SQR(thumb_misc+1)
++ && tiff_ifd[i].comp != 34892) {
++ thumb_width = tiff_ifd[i].t_width;
++ thumb_height = tiff_ifd[i].t_height;
++ thumb_offset = tiff_ifd[i].offset;
++ thumb_length = tiff_ifd[i].bytes;
++ thumb_misc = tiff_ifd[i].bps;
++ thm = i;
++ }
+ if (thm >= 0) {
+ thumb_misc |= tiff_ifd[thm].samples << 5;
+ switch (tiff_ifd[thm].comp) {
+Index: libkdcraw-4.10.2/libraw/src/libraw_datastream.cpp
+===================================================================
+--- libkdcraw-4.10.2.orig/libraw/src/libraw_datastream.cpp 2013-10-01 01:33:56.779280640 -0400
++++ libkdcraw-4.10.2/libraw/src/libraw_datastream.cpp 2013-10-01 01:33:56.763280640 -0400
+@@ -44,7 +44,12 @@
+
+ LibRaw_byte_buffer *LibRaw_abstract_datastream::make_byte_buffer(unsigned int sz)
+ {
++ if(sz> 2u * 1024u * 1024u * 1024u) // 2GB is enough
++ throw LIBRAW_EXCEPTION_ALLOC;
++
+ LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(sz);
++ if(!ret) // failed new should throw std::exception
++ throw LIBRAW_EXCEPTION_ALLOC;
+ read(ret->get_buffer(),sz,1);
+ return ret;
+ }
+@@ -416,7 +421,10 @@
+
+ LibRaw_byte_buffer *LibRaw_buffer_datastream::make_byte_buffer(unsigned int sz)
+ {
++
+ LibRaw_byte_buffer *ret = new LibRaw_byte_buffer(0);
++ if(!ret) // failed new should throw std::exception
++ throw LIBRAW_EXCEPTION_ALLOC;
+ if(streampos + sz > streamsize)
+ sz = streamsize - streampos;
+ ret->set_buffer(buf+streampos,sz);
diff --git a/debian/patches/series b/debian/patches/series
index 9240677..36590c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
libkdcraw_CVE-2013-2126.diff
libkdcraw_CVE-2013-2127.diff
+libkdcraw_CVE-2013-143x.diff
--
libkdcraw packaging
More information about the pkg-kde-commits
mailing list