[libkdcraw/f19] - bz#970713, CVE-2013-2126, double-free flaw when handling damaged full-color in Foveon and sRAW f

Than Ngo than at fedoraproject.org
Mon Jul 15 13:14:50 UTC 2013 

commit 7a4c94bbf0349798a855749c052c041e4b46af89
Author: Than Ngo <than at redhat.com>
Date:   Mon Jul 15 15:14:06 2013 +0200

    - bz#970713, CVE-2013-2126, double-free flaw when handling
      damaged full-color in Foveon and sRAW files

 libkdcraw-4.10.5-CVE-2013-2126.patch |   24 ++++++++++++++++++++++++
 libkdcraw.spec                       |   12 ++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)
---
diff --git a/libkdcraw-4.10.5-CVE-2013-2126.patch b/libkdcraw-4.10.5-CVE-2013-2126.patch
new file mode 100644
index 0000000..221da0a
--- /dev/null
+++ b/libkdcraw-4.10.5-CVE-2013-2126.patch
@@ -0,0 +1,24 @@
+diff -up libkdcraw-4.10.5/libraw/src/libraw_cxx.cpp.CVE-2013-2126 libkdcraw-4.10.5/libraw/src/libraw_cxx.cpp
+--- libkdcraw-4.10.5/libraw/src/libraw_cxx.cpp.CVE-2013-2126	2013-07-15 14:39:22.000000000 +0200
++++ libkdcraw-4.10.5/libraw/src/libraw_cxx.cpp	2013-07-15 14:45:31.000000000 +0200
+@@ -1055,8 +1055,8 @@ int LibRaw::unpack(void)
+                 S.iheight= S.height;
+                 IO.shrink = 0;
+                 // allocate image as temporary buffer, size 
+-                imgdata.rawdata.raw_alloc = calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+-                imgdata.image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
++                imgdata.rawdata.raw_alloc = 0;
++                imgdata.image = (ushort (*)[4]) calloc(S.iwidth*S.iheight,sizeof(*imgdata.image));
+               }
+             ID.input->seek(libraw_internal_data.unpacker_data.data_offset, SEEK_SET);
+             (this->*load_raw)();
+@@ -1073,8 +1073,8 @@ int LibRaw::unpack(void)
+         // recover saved
+         if( decoder_info.decoder_flags & LIBRAW_DECODER_LEGACY)
+             {
++                imgdata.rawdata.raw_alloc = imgdata.rawdata.color_image = imgdata.image;
+                 imgdata.image = 0; 
+-                imgdata.rawdata.color_image = (ushort (*)[4]) imgdata.rawdata.raw_alloc;
+             }
+ 
+         // recover image sizes
diff --git a/libkdcraw.spec b/libkdcraw.spec
index 6d551a1..b49cec8 100644
--- a/libkdcraw.spec
+++ b/libkdcraw.spec
@@ -1,7 +1,7 @@
 Name:    libkdcraw
 Summary: A C++ interface around LibRaw library
 Version: 4.10.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 # libkdcraw is GPLv2+,
 # LibRaw(bundled) is LGPLv2
@@ -18,7 +18,8 @@ Source0: http://download.kde.org/%{stable}/%{version}/src/%{name}-%{version}.tar
 # fix libjpeg detection for libjpeg-turbo, hopefully upstreamable
 # (the hack to add jpeg_mem_src from RawSpeed to LibRaw might not be though)
 Patch50: libkdcraw-4.10.0-libjpeg-turbo.patch
-
+# upstream patches
+Patch100: libkdcraw-4.10.5-CVE-2013-2126.patch
 BuildRequires: kdelibs4-devel
 %if 0%{?fedora} > 17
 # libjpeg-turbo-1.2.90+ provides jpeg_mem_src
@@ -59,6 +60,9 @@ Requires: kdelibs4-devel
 %setup -q
 %patch50 -p1 -b .libjpeg-turbo
 
+# upstream patches
+%patch100 -p1 -b .CVE-2013-2126
+
 # copy/rename a few things for easier inclusion as %%doc
 cp -a libraw/README README.libraw
 cp -a libraw/COPYRIGHT COPYRIGHT.libraw
@@ -115,6 +119,10 @@ fi
 
 
 %changelog
+* Mon Jul 15 2013 Than Ngo <than at redhat.com> - 4.10.5-2
+- bz#970713, CVE-2013-2126, double-free flaw when handling
+  damaged full-color in Foveon and sRAW files
+
 * Sun Jun 30 2013 Than Ngo <than at redhat.com> - 4.10.5-1
 - 4.10.5

More information about the scm-commits mailing list