[LibRaw] Fix for double-free.
Jon Ciesla
limb at fedoraproject.org
Fri May 31 10:45:07 UTC 2013
commit 6b9855473843312dc24fa49d051d520992002df5
Author: Jon Ciesla <limburgher at gmail.com>
Date: Fri May 31 05:40:22 2013 -0500
Fix for double-free.
LibRaw-0.14.8-errorhandling.patch | 49 +++++++++++++++++++++++++++++++++++++
LibRaw.spec | 7 ++++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/LibRaw-0.14.8-errorhandling.patch b/LibRaw-0.14.8-errorhandling.patch
new file mode 100644
index 0000000..b71a539
--- /dev/null
+++ b/LibRaw-0.14.8-errorhandling.patch
@@ -0,0 +1,49 @@
+diff -U3 -r LibRaw-0.14.8.orig/Changelog.rus LibRaw-0.14.8/Changelog.rus
+--- LibRaw-0.14.8.orig/Changelog.rus 2013-05-17 14:54:17.000000000 -0500
++++ LibRaw-0.14.8/Changelog.rus 2013-05-31 05:31:45.970607271 -0500
+@@ -1,4 +1,8 @@
+-2013-05-21 Alex Tutubalin <lexa at lexa.ru>
++2013-05-31 Alex Tutubalin <lexa at lexa.ru>
++ * Исправлена ошибка при обработке поврежденных полноцветных
++ файлов (sRAW, Foveon)
++
++2013-05-21 Alex Tutubalin <lexa at lexa.ru>
+ * Исправлена ошибка в коде функции sony_decrypt(), приводившая
+ к неверному чтению камерного баланса белого на камерах Sony
+ если LibRaw была собрана gcc 4.8
+diff -U3 -r LibRaw-0.14.8.orig/Changelog.txt LibRaw-0.14.8/Changelog.txt
+--- LibRaw-0.14.8.orig/Changelog.txt 2013-05-17 14:54:17.000000000 -0500
++++ LibRaw-0.14.8/Changelog.txt 2013-05-31 05:31:45.970607271 -0500
+@@ -1,3 +1,7 @@
++2013-05-31 Alex Tutubalin <lexa at lexa.ru>
++ * Fixed double call to free() on broken legacy-layout images
++ (backport from 0.15.x)
++
+ 2013-05-21 Alex Tutubalin <lexa at lexa.ru>
+ * Fixed undefined behaviour in sony_decrypt() function.
+ This bug causes incorrect camera WB read for Sony cameras.
+diff -U3 -r LibRaw-0.14.8.orig/src/libraw_cxx.cpp LibRaw-0.14.8/src/libraw_cxx.cpp
+--- LibRaw-0.14.8.orig/src/libraw_cxx.cpp 2013-05-17 14:54:17.000000000 -0500
++++ LibRaw-0.14.8/src/libraw_cxx.cpp 2013-05-31 05:31:51.402607149 -0500
+@@ -796,8 +796,8 @@
+ S.iheight= S.height;
+ IO.shrink = 0;
+ // allocate image as temporary buffer, size
+- imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+- imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
++ imgdata.rawdata.raw_alloc = 0;
++ imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+ }
+
+
+@@ -807,8 +807,8 @@
+ // recover saved
+ if( decoder_info.decoder_flags & LIBRAW_DECODER_LEGACY)
+ {
+- imgdata.image = 0;
+- imgdata.rawdata.color_image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
++ imgdata.rawdata.raw_alloc = imgdata.rawdata.color_image = imgdata.image;
++ imgdata.image = 0;
+ }
+
+ // calculate channel maximum
diff --git a/LibRaw.spec b/LibRaw.spec
index 5b44e52..c9af366 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -2,7 +2,7 @@
Summary: Library for reading RAW files obtained from digital photo cameras
Name: LibRaw
Version: 0.14.8
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv3+
Group: Development/Libraries
URL: http://www.libraw.org
@@ -15,6 +15,7 @@ Source0: http://www.libraw.org/data/%{name}-%{version}.tar.gz
Source1: http://www.libraw.org/data/%{name}-demosaic-pack-GPL2-%{version}.tar.gz
Source2: http://www.libraw.org/data/%{name}-demosaic-pack-GPL3-%{version}.tar.gz
#Patch0: LibRaw-0.14.7-segfault.patch
+Patch1: LibRaw-0.14.8-errorhandling.patch
%description
LibRaw is a library for reading RAW files obtained from digital photo
@@ -44,6 +45,7 @@ LibRaw static development libraries.
%prep
%setup -q -a1 -a2
#%patch0 -p0
+%patch1 -p1
%build
%configure --enable-examples=no --enable-jasper --enable-lcms \
@@ -82,6 +84,9 @@ make install DESTDIR=%{buildroot}
%postun -p /sbin/ldconfig
%changelog
+* Wed May 29 2013 Jon Ciesla <limburgher at gmail.com> - 0.14.8-2
+- Patch for double free, CVE-2013-2126, BZ 968387.
+
* Wed May 29 2013 Jon Ciesla <limburgher at gmail.com> - 0.14.8-1
- Latest upstream, fixes gcc 4.8 issues.
More information about the scm-commits
mailing list