1 |
commit: 35c276a51e96fd25c976d70a762e76dd2e048331 |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Sep 15 23:34:26 2019 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 15 23:46:26 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35c276a5 |
7 |
|
8 |
media-gfx/ufraw: Fix CVE-2015-8366 and CVE-2018-19655 |
9 |
|
10 |
Thanks to openSUSE for the patches. |
11 |
|
12 |
Package-Manager: Portage-2.3.76, Repoman-2.3.17 |
13 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
14 |
|
15 |
.../ufraw/files/ufraw-0.22-CVE-2015-8366.patch | 17 +++++++++ |
16 |
.../ufraw/files/ufraw-0.22-CVE-2018-19655.patch | 44 ++++++++++++++++++++++ |
17 |
media-gfx/ufraw/ufraw-0.22-r3.ebuild | 2 + |
18 |
3 files changed, 63 insertions(+) |
19 |
|
20 |
diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..9d59ca413fb |
23 |
--- /dev/null |
24 |
+++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2015-8366.patch |
25 |
@@ -0,0 +1,17 @@ |
26 |
+Fix a buffer overflow bug. See |
27 |
+https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 |
28 |
+ |
29 |
+--- a/dcraw.cc |
30 |
++++ b/dcraw.cc |
31 |
+@@ -3013,7 +3013,10 @@ |
32 |
+ diff = diff ? -diff : 0x80; |
33 |
+ if (ftell(ifp) + 12 >= (int) seg[1][1]) |
34 |
+ diff = 0; |
35 |
+- raw_image[pix] = pred[pix & 1] += diff; |
36 |
++ if(pix>=raw_width*raw_height) |
37 |
++ derror(); |
38 |
++ else |
39 |
++ raw_image[pix] = pred[pix & 1] += diff; |
40 |
+ if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2; |
41 |
+ } |
42 |
+ maximum = 0xff; |
43 |
|
44 |
diff --git a/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch |
45 |
new file mode 100644 |
46 |
index 00000000000..78b46b4452e |
47 |
--- /dev/null |
48 |
+++ b/media-gfx/ufraw/files/ufraw-0.22-CVE-2018-19655.patch |
49 |
@@ -0,0 +1,44 @@ |
50 |
+Description: stack-based buffer overflow bug |
51 |
+Bug-Debian: https://bugs.debian.org/890086 |
52 |
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19655 |
53 |
+Author: Filip Hroch <hroch@××××××××××××.cz> |
54 |
+Reviewed-by: Salvatore Bonaccorso <carnil@××××××.org> |
55 |
+Last-Update: 2018-12-02 |
56 |
+ |
57 |
+--- a/dcraw.cc |
58 |
++++ b/dcraw.cc |
59 |
+@@ -8505,9 +8505,15 @@ float CLASS find_green (int bps, int bit |
60 |
+ { |
61 |
+ UINT64 bitbuf=0; |
62 |
+ int vbits, col, i, c; |
63 |
+- ushort img[2][2064]; |
64 |
++ ushort *img; |
65 |
+ double sum[]={0,0}; |
66 |
+ |
67 |
++#define IMG2D(row,col) \ |
68 |
++ img[(row)*width+(col)] |
69 |
++ |
70 |
++ img = (ushort *) malloc(2*width*sizeof(ushort)); |
71 |
++ merror (img, "find_green()"); |
72 |
++ |
73 |
+ FORC(2) { |
74 |
+ fseek (ifp, c ? off1:off0, SEEK_SET); |
75 |
+ for (vbits=col=0; col < width; col++) { |
76 |
+@@ -8516,13 +8522,14 @@ float CLASS find_green (int bps, int bit |
77 |
+ for (i=0; i < bite; i+=8) |
78 |
+ bitbuf |= (unsigned) (fgetc(ifp) << i); |
79 |
+ } |
80 |
+- img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); |
81 |
++ IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps); |
82 |
+ } |
83 |
+ } |
84 |
+ FORC(width-1) { |
85 |
+- sum[ c & 1] += ABS(img[0][c]-img[1][c+1]); |
86 |
+- sum[~c & 1] += ABS(img[1][c]-img[0][c+1]); |
87 |
++ sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1)); |
88 |
++ sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1)); |
89 |
+ } |
90 |
++ free(img); |
91 |
+ return 100 * log(sum[0]/sum[1]); |
92 |
+ } |
93 |
+ |
94 |
|
95 |
diff --git a/media-gfx/ufraw/ufraw-0.22-r3.ebuild b/media-gfx/ufraw/ufraw-0.22-r3.ebuild |
96 |
index b43d97d6022..f3126840467 100644 |
97 |
--- a/media-gfx/ufraw/ufraw-0.22-r3.ebuild |
98 |
+++ b/media-gfx/ufraw/ufraw-0.22-r3.ebuild |
99 |
@@ -44,6 +44,8 @@ PATCHES=( |
100 |
"${FILESDIR}"/${P}-jpeg9.patch |
101 |
"${FILESDIR}"/${P}-exiv2-0.27.patch |
102 |
"${FILESDIR}"/${P}-gcc9.patch |
103 |
+ "${FILESDIR}"/${P}-CVE-2015-8366.patch |
104 |
+ "${FILESDIR}"/${P}-CVE-2018-19655.patch |
105 |
) |
106 |
|
107 |
src_prepare() { |